Article 29 reserves position on EU-U.S. Privacy Shield; uncertainty for companies remains

Following the European Commission’s announcement on 2 February 2016 that agreement had been reached with the U.S. government on a new EU-U.S. Privacy Shield, the Article 29 Working Party (the A29 WP) held a press conference on 3 February confirming that whilst they see the agreement between negotiators as a positive step, they are reserving their position as to whether the mechanisms that will be introduced will resolve their primary concerns; namely, the scope of access to personal data by U.S. intelligence agencies, and the lack of redress for data subjects.

The A29 WP were not involved in the Privacy Shield negotiations and were only asked a few limited questions at the last minute, although they confirmed that they did receive a U.S. delegation in Paris in order to raise their concerns.

In their subsequent official press release, the A29 WP has called on the Commission to provide draft texts by the end of February, in order to enable the A29 WP to study the content and the “legal bindingness” of the arrangement at an extraordinary plenary meeting that will be arranged in the coming weeks.

The A29 WP had been due to provide its conclusion as to whether Model Clauses and Binding Corporate Rules still provide an adequate basis for transfers to the United States.  The A29 WP did confirm that the initial result of the analysis they have been conducting since October is that they do have concerns about whether Model Clauses and Binding Corporate Rules provide an adequate basis for transfers (citing the indiscriminate access to personal data by intelligence agencies as being their main concern).  However, in light of the Commission’s announcement, the A29 WP have extended their review period of the Model Clauses and the Binding Corporate Rules and will only make a final decision once they have completed their analysis of the newly agreed EU-U.S. Privacy Shield. The A29 WP confirmed that in the interim, companies can continue to use these transfer tools.

The reason given by the A29 WP for tying their decision about the use of Model Clauses and Binding Corporate Rules to their assessment of the Privacy Shield is because the A29 WP wishes to explore whether the commitments given by the U.S. government (in respect of access to European personal data by U.S. intelligence agencies) will apply to all transfer tools or just to the Privacy Shield, and whether the EU-U.S. Privacy Shield will introduce legally binding mechanisms.  When addressing the A29 WP this morning, Commissioner Věra Jourová advised them that the Privacy Shield should contain a mechanism so that any commitments given by the U.S. government will not be automatically invalidated after the election if the U.S. government changes.

In their press release, the A29 WP stress that their concerns about robust protection for the rights of data subjects and the scope of access to personal data apply to all intelligence agencies in third countries, and not just intelligence agencies in the United States.  Although the A29 WP has confirmed that it will not give a final decision on the other transfers tools until it has analysed the EU-U.S. Privacy Shield, it is not yet clear how the A29 WP’s assessment of commitments given by the U.S. government will impact on companies’ use of Model Clauses and Binding Corporate Rules as a means of legitimising data transfers to jurisdictions other than the U.S.  However, the A29 WP’s initial comments suggest that Model Clauses and Binding Corporate Rules may not be sufficient, in and of themselves, if the countries to which the data are being transferred do not respect the rights of data subjects.

The A29 WP reiterated that companies who have so far been adopting a “wait and see” approach following the invalidation of Safe Harbor are now in an “illegal” position, and must adopt other transfer tools to legitimise cross-border transfers.  Data protection authorities may begin to take enforcement action against these companies (especially where data subjects make complaints).

The A29 WP confirmed that all data protection authorities have committed themselves to the official statement that was formally released this afternoon, which hopefully means that data protection authorities should no longer refuse to authorise model clauses (which had been the case in jurisdictions such as Germany following the invalidation of Safe Harbor).  However, it remains to be seen whether a uniform approach will be taken by data protection authorities across Europe and overall, there is still a lack of certainty for companies, and question marks over the long-term use of Model Clauses and Binding Corporate Rules remain.