A Collection is a selection of features, articles, comments and opinions on any given theme or topic. It allows you to stay up‑to‑date with what interests you most.
Login here to access your saved articles and followed authors.
We have sent you an email so you can reset your password.
Sorry, we had a problem.
Tags related to this article
Published 6 January 2016
The EU Commission has announced political agreement on the formation of a new transatlantic data transfer regime, the EU-US Privacy Shield (Privacy Shield) to replace Safe Harbor.
Since the CJEU's judgment on 6 October 2015 in the case of Maximillian Schrems v Data Protection Commissioner where the EU-US Safe Harbor regime was declared invalid (see my previous editorial on the Schrems decision here), discussions have been ongoing between the EU and US in an attempt to establish a new and more resilient regime for transferring personal data across the Atlantic.
The European Commission and US were given until the end of January to find an appropriate solution with the European Data Protection Supervisor and Working Party 29 warning that failure to resolve issues raised in Schrems concerning the indiscriminate monitoring of EU citizens by US authorities would result in Working Party 29 considering the validity of all transfers to the US, including those made under model clauses and binding corporate rules.
Companies were given no choice but to hastily look to replace contracts previously reliant on Safe Harbor with model clauses agreements. Working Party 29 announced that transfers based on Safe Harbor were no longer valid but announced that no enforcement action would be taken until the end of January, the implication being that companies who did not take action to put alternative mechanisms in place would be subject to such enforcement once the January deadline had passed. However, the elephant in the room remained: the reasons why Safe Harbor was declared invalid in Schrems were equally applicable to the other mechanisms for transferring personal data to the US. Working Party 29 used this fact to their advantage in imposing the end of January deadline on the Commission and the US, as the alternative would have been that all data transfers to the US would need to be suspended.
The Privacy Shield solution, hastily announced on the 2 February, claims to provide Europe with its required assurances that the access of US public authorities for national security purposes will be subject to limitations, safeguards and oversight mechanisms. However details on how this is to be achieved are sketchy at best at present and it is not entirely clear how effectively this new regime will address the chasms highlighted by the downfall of Safe Harbor.
Following the announcement, Working Party 29 published a statement explaining that they will delay their discussion on transfers to the US under model clauses and binding corporate rules until they have been given more detail on the Privacy Shield. They have asked to receive final drafts of the proposal within 3 weeks, allowing them to work towards a final decision on US data transfers. They have agreed that transfers to the US under model clauses and binding corporate rules will remain valid until then, and have set out the four "guarantees" that must be met in order to transfer data outside Europe under any mechanism and to any country. These are:
As such Working Party 29 will be undertaking further analysis of the agreement in the context of Privacy Shield and in respect of other transfer mechanisms.
If there was any hope in your mind as to whether Safe Harbor would live to fight another day that should now be dismissed. If its replacement survives Working Party 29 scrutiny, the Privacy Shield is unlikely to be available until the summer or autumn and the Working Party 29 has confirmed that transfers still reliant on Safe Harbor are illegal.
Therefore, although there is no guarantee that model clauses and binding corporate rules will survive Working Party 29's April scrutiny, companies have little choice but to put these alternative mechanisms in place for the time being if they wish to continue to use vendors in the US without fear of enforcement action. Alternatively, companies could relocate services to the EU, a trend we have noticed from a number of large cloud providers.
Click the below headings to read more...
Please click here for the Glossary.
London - Walbrook
+44 (0)20 7894 6577
Shehana Cameron Perera, Lorraine Ekong, Jade Kowalski, Rhiannon Webster, Ceri Fuller, Khurram Shamsee, Christopher Air, Sophie Devlin
Shehana Cameron Perera, Michael McMillen, Lorraine Ekong
Jade Kowalski, Shehana Cameron Perera, Zoe Lockton, Rhiannon Webster
Aleksandar Dimitrov, Neal Pal
Rhiannon Webster, Charlie Christie
Michael McMillen, Rhiannon Webster, Ben Savery
Ceri Fuller, Khurram Shamsee, Christopher Air, Jade Kowalski, Sophie Devlin
Rhiannon Webster, Khurram Shamsee
Charlotte Burnett, Rodrigo Fernández Guerra Fletes, Rowena McCormack
Rhiannon Webster, Khurram Shamsee, Ceri Eaton
Khurram Shamsee, Rhiannon Webster