The European data protection agencies give personal data agreement with the US the thumbs down
The EU-US Privacy Shield on the transfer of personal data between the EU and the US is not safe enough. This is the opinion of the European data protection agencies.
Since then there has been an ongoing process where the European Commission has negotiated with the US authorities on the changes in the US rules on the authorities' access to personal data. The result was the EU-US Privacy Shield which we described in February 2016: "Personal data - new agreement on Safe Harbor in the pipeline"
However, the process has turned out to be difficult and even before it has been formally issued the EU-US Privacy Shield applying to the transfer of personal data between the EU and the US has already faced serious challenges. The reason is that the European data protection agencies in the so-called WP29 find that the new EU-US Privacy Shield does not meet a number of fundamental requirements.
Click here to read the opinion by the WP29.
The joint group of data protection agencies have previously set out four key principles determining whether the US, and other countries outside the EU, adequately protect individuals vis-à-vis the authorities:
- The authorities' access to personal data should be based on clear, precise and accessible rules
- The authorities' access to and use of personal data must be necessary and proportional - a balance needs to be found between the objective (national security) and the interference with the individuals' right to protection of their private life
- An independent, efficient data protection authority should exist
- Effective remedies need to be available to the individuals in order that such individuals will have an opportunity to defend their rights
The WP29 does not believe that in its current form the agreement fulfils the principles. More clear rules preventing US authorities from collecting data on Europeans from the US businesses are needed.
A central point of criticism of the EU-US Privacy Shield is that it does not sufficiently ensure an independent and strong appeals body. The agreement should provide more safe guarantees for the ombudsman, which the US must appoint according to the agreement, actually becoming an appeals body with the power to stop the disclosure of personal data that are in conflict with the rules.
The Privacy Shield faces an uncertain future
The European data protection agencies cannot formally block the agreement. And the European Commission has also continued the work and started holding meetings with the Member States under the so-called Article 31 Committee (established under the authority of Article 31 of the Personal Data Directive).
The Member States may veto the EU-US Privacy Shield and the European Commission must therefore ensure a sufficient majority of the votes in the Article 31 Committee that the agreement, perhaps with minor changes, provides sufficient protection.
The expectation was that the discussions between the European Commission and the Article 31 Committee could be concluded at a meeting on 20 May 2016, but according to leaked information no agreement was made and more meetings are necessary. It means that the EU-US Privacy Shield will not be finalised in June 2016 as originally planned.
In the meantime US businesses will have to use other and more demanding legal bases for transferring data from the EU to the US, for example the European Commission's standard agreements or the Binding Corporate Rules.
Regardless of the delay, it is definite that the EU-US Privacy Shield will be subject to litigation once a formal decision from the European Commission that the Privacy Shield scheme can be used as a transfer basis has been issued.
Plesner therefore recommends that already at this point in time you look at other solutions if practically possible. You should remember in such connection that the informal "transition period" has expired and that you should have another basis to replace the Safe Harbour scheme in place.
The future for the other transfer bases
However, transfers based on the European Commission's standard agreements or the Binding Corporate Rules can also turn out to be problematic.
At the same time as publishing its opinion on the EU-US Privacy Shield the WP29 issued an opinion elaborating on the four key principles. The four key principles for when a country provides sufficient protection of individuals against the authorities in respect of the processing of personal data are directed at the due process of law situation in each country. If such situations are not satisfactory, neither the European Commission's standard agreements nor the Binding Corporate rules will in reality result in sufficient protection of the registered individuals in the countries in question.
In practice, the emphasis on the key principles makes it possible for the national data protection agencies to be able to look into, on a case-by-case basis, whether the transfer of personal data on the basis of the European Commission's standard agreements is legal.
It will therefore not be surprising if the actual consequence of the articulation of the four key principles will be that in the medium term the transfer of data to certain countries that are not considered to provide sufficient due process of law guarantees will actually be shut off.
Plesner expects that the WP29 will present another opinion on this subject in connection with its next meeting to be held on 7-8 June 2016.