European data protection agencies sceptical of new personal data agreement

The new political agreement on the transfer of personal data between the United States and the EU gives the European data protection agencies cause for concern. The joint group of data protection agencies have set out four fundamental principles determining whether the United States or other countries outside the EU adequately protect individuals vis-Ă -vis the authorities.

On 3 February 2016 the European data protection agencies in the Article 29 Working Party (the "WP29") held a press conference about the consequences of the Schrems judgment and about the European Commission entering into an agreement with the United States on the EU-US Privacy Shield.

Read the European data protection agencies' press release.

The group stated that it has assessed the legal framework of the United States and has identified several factors giving rise to considerations in relation to the transfer of personal data from the EU/EEA to the United States.

In that connection four fundamental principles have been set out for the assessment of whether the United States or other countries outside the EU/EEA adequately protect individuals in relation to the authorities. The principles are:
  1. The authorities' access to data should be based on clear, precise and accessible rules.
  2. The authorities' access to data and use of data must be necessary and proportional - a balance needs to be found between the objective (national security) and the interference with individuals' right to protection of their private life.
  3. An independent, efficient data protection authority should exist.
  4. Effective remedies need to be available to the individual in order that such individuals will have an opportunity to defend their rights
In order to assess whether the new agreement accommodates the concerns the group has initially called on the European Commission to provide the documents relating to the EU-US Privacy Shield within three weeks.

It is expected that the WP29 will have completed its analysis at the end of March/the beginning of April of whether the agreement and the derived amendments in the United States will alleviate the concerns.

Other transfer tools may also be affected

However, it is also important to note that the WP29 is still considering whether the concerns in question also affect other transfer tools, including in particular the European Commission's standard agreements and Binding Corporate Rules, when personal data are transferred to the United States or other countries outside the EU/EEA. The WP29 will make a statement about this at the end of March/beginning of April.

Accordingly, the WP29 will for the time being allow the use of standard agreements and Binding Corporate Rules. As pointed out in October 2015, enterprises that might still be using Safe Harbor as a transfer tool will have to find alternative transfer tools. The WP29 will leave it to the individual agency to decide the extent to which they will impose sanctions on data controllers that have failed to get alternative transfer tools in place.

This is disturbing news to data controllers using the European Commission's standard agreements or Binding Corporate Rules as transfer tools when transferring data to other third countries than the United States. There is a real risk that the data protection agencies will also use the above four principles in relation to transfers to, for example, India and China, and that the assessment in respect of these countries will be negative. If this happens, the data protection agencies can on a case-by-case basis prohibit the use of standard agreements and Binding Corporate Rules for transfers to the countries that have failed the "test".

At the time of writing it is therefore not unrealistic that the United States will end up as the winner of the Schrems case in the sense that the United States will be able to pass a "test" under the four new principles whereas, for example, India and China will end up as losers, as these countries probably will not be able to pass the test right away.

On 4 February 2016 the Danish Data Protection Agency published an article (in Danish) about the case in which it concurs with WP29's statement.

Latest news on Data Protection Law

Data Protection Law