Uncertainty surrounding the U.S.-EU Safe Harbor (Safe Harbor) replacement, the EU-U.S. Privacy Shield (Privacy Shield), will remain for now. On April 13, 2016 the European Union (EU) Article 29 Working Party (WP29) comprised of all 28 EU member state data protection authorities (DPAs) announced its official but non-binding opinion on the European Commission’s (EC) draft “adequacy” finding of the Privacy Shield.
WP29 released its long-expected Privacy Shield analysis, which is divided into an assessment of the commercial aspects of the transfer mechanism and an assessment of the national security derogations in Privacy Shield. WP29 stated that the commercial aspects of the new data transfer mechanism are an improvement from Safe Harbor, but the framework lacks clarity in certain areas. Regarding national security derogations, there too U.S. improvements were commended, but WP29 also expressed continued concerns over the possibility of the “bulk collection” of data for national security purposes and the independence and effectiveness of the proposed U.S. national security ombudsperson.
The WP29 opinions express a belief among DPAs that there is still work to be done on Privacy Shield to increase clarity in the commercial principles and guarantee fundamental rights with regard to national security. Technically, the EC does not have to address any of the WP29 concerns, as the WP29 opinions are non-binding. However, if the DPAs are not appeased now, certain DPAs are all but guaranteed to encourage legal challenges to Privacy Shield immediately once the EC attempts to implement it.
What are Companies to Do?
WP29 has not officially commented on – and the national DPAs therefore have not prohibited – either of the alternative data transfer mechanisms (i.e., Binding Corporate Rules (BCRs) and Standard Contractual Clauses (SCCs)). A negative opinion of WP29 on the other mechanisms would not per se make the transfer mechanisms invalid (only the EC and European Court of Justice have the power to make that finding), but in practice, DPAs could refuse to accept them.
The EC was on track to finalize and implement the Privacy Shield by June. There could very well be a delay if the EC and U.S. go back to the drawing board to address the WP29 concerns. The only thing that is certain is that BCRs and SCCs remain valid until further notice.