The Article 29 Working Party has broadly welcomed the Commission’s proposals for a Privacy Shield to ensure that data transfers to the USA can continue. But the statement, which is set out in full below, amounts to a gigantic ‘let’s wait and see’. Nonetheless, sighs of relief will be heard from businesses involved in such data transfers because the alternative, a move to enforcement, would be much worse from their perspective.
The full text of the statement is as follows:
On 2-3 February 2016, the Article 29 Working Party (WP29) met to discuss the consequences of the CJEU judgment in the Schrems case for international transfers.
The WP29 welcomes the fact of the conclusion of the negotiations between the EU and the U.S. on the introduction of a “EU-U.S. Privacy Shield”, which meets the deadline set by the WP29 in its statement of 16 October. It looks forward to receive the relevant documents in order to know precisely the content and the legal bindingness of the arrangement and to assess whether it can answer the wider concerns raised by Schrems judgment as regards international transfers of personal data.
As it was announced in its statement, the WP29 analysed in the last weeks the robustness of the other transfer tools as regard the reasoning of the Court. Therefore it has been assessing the current legal framework and practices of US intelligence and the conditions under which it allows any unjustified interference to the European right to respect for private life and data protection.
In order to have a clear and fully comprehensive understanding of the situation and the impact on transfers of personal data from the EU to the U.S., the WP29 has held hearings and discussions with academics, businesses representatives, senior government officials and civil society from both the United States and the EU.
The WP29 has conducted its assessment in light of the European jurisprudence on fundamental rights which sets four essential guarantees for intelligence activities:
A. Processing should be based on clear, precise and accessible rules: this means that anyone who is reasonably informed should be able to foresee what might happen with her/his data where they are transferred;
B. Necessity and proportionality with regard to the legitimate objectives pursued need to be demonstrated: a balance needs to be found between the objective for which the data are collected and accessed (generally national security) and the rights of the individual;
C. An independent oversight mechanism should exist, that is both effective and impartial: this can either be a judge or another independent body, as long as it has sufficient ability to carry out the necessary checks;
D. Effective remedies need to be available to the individual: anyone should have the right to defend her/his rights before an independent body.
The WP29 stresses that these four guarantees should be respected whenever personal data are transferred from the EU to the United States and to other third countries, as well as by EU Member States.
Even though the WP29 certainly recognises the efforts of the U.S. in 2014 and 2015 to improve the protection of the data of non-U.S. persons, it still has concerns on the current U.S. legal framework as regards the four essential guarantees, especially regarding scope and remedies.
Following the press conference of the European Commission on the “EU-U.S. Privacy Shield” on 2 February 2016, the WP29 stands ready to analyse the result of the negotiations in the light of the European essential guarantees described above. It will especially have to consider if its concerns regarding the U.S. legal framework can be alleviated following the introduction of the EU-U.S. Privacy Shield. The WP29 will also analyse to what extent this new arrangement will provide legal certainty for the other transfer tools. The WP29 will examine whether the provisions respect the powers of data protection authorities as laid down in Article 28 of Directive 95/46/EC.
The WP29 recalls that since the Schrems judgment, transfers to the U.S. cannot take place on the basis of the invalidated Safe Harbour decision. EU data protection authorities will therefore deal with related cases and complaints on a case-by-case basis.
The WP29 calls on the Commission to communicate all documents pertaining to the new arrangement by the end of February. The WP29 will then be in position to complete its assessment for all personal data transfers to the U.S. at an extraordinary plenary meeting that will be organized in the coming weeks. After this period, the WP29 will consider whether transfer mechanisms, such as Standard Contractual Clauses and Binding Corporate Rules, can still be used for personal data transfers to the U.S. In the meantime, the WP29 considers that this is still the case for existing transfer mechanisms.