In a few words, a fair cross-border procedure to bring personal data outside the Economic European Area to third countries, needs the adoption of the measures exhaustively listed in 95/46/CE Directive: one of them was Safe Harbor, (as adequacy decision of the European Commission) – http://ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.htm – struck down by Court of Justice of the European Union , last October.
The Article 29 Working Party (that brings together the European Data Protection Authorities) assigned a deadline (end of January) to the European Commission (The European Commission is the executive branch of the European Union) to replace the Safe Harbor (in compliance with the principles laid down by the Court), and has scheduled a plenary meeting after the expiration of the period, in order to express an opinion on the real extent of the judgment, to determine the area where it would actually explicate its consequences, and to indicate to the Member State what to do.
After the expiration of the deadline, exactly February, 2, 2016, the European Commission stated that it had received from the US Authorities assurance it considered sufficient to ensure the protection of data subjects in the transfer of personal data to the US, and has announced that it received a new safe harbor, that renamed, to highlight that it would provide greater protection, and to distinguish it from the previous one, the US-EU Privacy Shield.
During the meeting of the Art 29 Working Party, the Commission orally presented the Privacy Shield. Although the Commission missed the deadline, the Working party decided to take into account that the political will is in the sense of not stopping the data transfer to the USA and of the efforts made by the Commission.
Because the Working Party was not involved in the negotiation between the Commission and the US Authorities, and received only an oral report by the Commission, “it looks forward to receive the relevant documents in order to know precisely the content and the legal bindingness of the arrangement and to assess whether it can answer the wider concerns raised by Schrems judgment as regards international transfers of personal data”.
In particular the Working Party needs to evaluate the binding nature of the Privacy Shield, the exact content of the obligations assumed by the United States, the control system on their respect, as well as the domestic remedies provided for in case of breach. The Working Party has reserved all decisions after the examination of the documents, giving to the Commission until the end of February 2016 for the transmission.
If the Commission will respect the deadline, the Working Party hopes to give its opinion around the end of March and no later than April 2016.
Below I’ll try to focus, concisely, on some aspects that may be of interest to operators.
What is the Privacy Shield?
Nowadays, the Privacy Shield is nothing yet, actually.
It is a long series of negotiations, between the EU Commission and the US Authorities, which will be formalized in the coming days, and transmitted to the Article 29 Working Group so that it can evaluate the level of protection.
The purpose is to create a procedure that guarantees adequate safeguards to personal data transfer to the US from the UE, a procedure which may became the ground base of a Decision of the Commission, that, when upheld by the national DPAs, will allow the data transfer to the US, without formalities.
So it is not an international Treaty, nor a procedure for European organizations. If the Commission would take the adequacy decision on its base, with the national DPAs’ placet, the US organizations could accede to the protocol, and the European controllers could transfer personal data to US, without doing nothing more.
Is the Privacy Shield already in place?
No, from the above it follows that it is not yet applicable.
In Italy, for example, the Italian Data Protection Authority will enable data transfers to the USA on the basis of the Privacy Shield, issuing a Authorisation, a kind of decision that will be published in the Italian Official Journal, and on the DPA’s website.
Currently transfers of personal data cannot take place on the basis of the Privacy Shield, but companies, multinationals and other organisations will have to rely on other tools listed in Art 26 of Directive 95/46/CE.
Is it still possible to use standard contractual clauses (called also “model clauses”) and Binding Corporate Rules to transfer personal data?
Yes, it is. In the statement, released on February 3, 2016, the Working Party < http://ec.europa.eu/justice/data-protection/article-29/press-material/press-release/art29_press_material/2016/20160203_statement_consequences_schrems_judgement_en.pdf > said that these tools can still be used for data transfers to US. The WP29 has called on the Commission to communicate all the documents pertaining to the new Privacy Shield arrangement by the end of February. The WP29 will then be in a position to complete its assessment for all personal data transfers to the U.S. at its extraordinary plenary meeting that will be organized in the coming weeks. In the meantime, the WP29 considers that model clauses and Binding Corporate Rules are still viable tools to transfer data.
It is worth noting that the WP29 has subordinated the future validity of the BCR and the standard contractual clauses to the coverage offered by the Privacy Shield, and therefore as the destiny of all these instruments appear closely connected: the Privacy Shield, to offer a satisfactory adequacy level, will have to offer protection also to transfers based on BCR and SCC, but on the other hand, if as a whole, the level of adequacy provided by the Privacy Shield is not considered sufficient, all the mechanisms of transfer will fall with it, so, unless extended for adaptation, even BCR and SCC will not be available anymore.
Until the Privacy Shield is in place, could organizations keep transferring data to the US on the basis of the safe Harbor, instead of on BCR or SCC?
No, they could not. Transfers based only on Safer Harbor are prohibited. Organizations need to use SCC if it is not possible to use the other tools listed in Article 26 of Directive 95/46/CE (the BCR have a long approval procedure and basically only multinational corporations can adopt them). If it is not possible for an organization to use SCC, then it needs to stop or suspend the transfers of personal data to the US.
Could the Privacy Shield be invalidated by Court of Justice of European Union?
The WP29 has derived a set of principles from the case law of the Court of Justice, and has said that it will use them as parameters to evaluate the adequacy of the Privacy Shield. The Privacy Shield will have to offer more guarantees than the Safe Harbor.
However, nothing prevents it will again be subject to scrutiny of the Court of Justice, after its “entry into force”: if it does not respect the principles already established by the Court, the Court may invalidate it.
That is why the outcome of the analysis of the Working Party cannot be, at present, expected: the evaluation must be rigorous to avoid another “snip” by the ECJ, but without anything in writing, it is not possible to evaluate anything.
For more info, Avv. Cristina Vicarelli
Read the original blog in Italian at here.