As anticipated the Article 29 Working Party (often known as WP29), a group of the EU’s data protection regulators met in Brussels today to discuss the European Commission’s Privacy Shield scheme, the proposed replacement for Safe Harbor.
As we had anticipated in our earlier alerts WP29 decided that in their view Privacy Shield does not offer adequate protection. Whilst the decision is not binding on the Commission it will be hard to ignore if Privacy Shield is to be successful, especially since enforcement is still in the hands of the data regulators who sat around the table at WP29 and not in the hands of the Commission.
WP29’s position is not a surprise, especially given the rumours coming out of Germany. As we mentioned previously some German data protection authorities have had a long-held objection to Safe Harbor and they have been the most aggressive in enforcement since Safe Harbor died (for more on this see our alert here).
Amongst WP29’s criticisms are:
- A lack of clarify over the ombudsman role; and
- Exceptions allowing the US to still collect European bulk data.
Most companies, as we have said before, will have to plan for a world without Safe Harbor or Privacy Shield at least in the short term. They will have to explore alternative solutions including EU model terms and Binding Corporate Rules (BCRs). BCRs are likely to gain momentum and sources close to WP29 tell us that we can expect statements soon from regulators removing some of the existing objections to BCRs. In addition BCRs will gain in use once their statutory status is confirmed by the forthcoming General Data Protection Regulation (GDPR) – there is more on this in our GDPR FAQs here.
We have been working with clients since October on the alternatives to Safe Harbor. We looked at the various options for data transfer post Safe Harbor here.
We have a number of resources to help companies plan for a future without Safe Harbor. They include:
- A glossary of key data protection terms;
- A short film and background note on Privacy Shield;
- A background note and film on the original Schrems decision.
We have considerable experience of helping companies comply from a wide range of sectors work on their plans to comply.
For more information please contact Jonathan Armstrong, Gayle McFarlane or André Bywater who are lawyers with Cordery in London where their focus is on compliance issues.
Jonathan Armstrong, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH
Office: +44 (0)207 075 1784
Gayle McFarlane, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH
Office: +44 (0)207 075 1786
André Bywater, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH
Office: +44 (0)207 075 1785
Originally published by CORDERY on April 13, 2016 at http://www.corderycompliance.com/wp29-refuse-to-endorse-privacy-shield-scheme/