The Article 29 Working Party expressed its position on the Privacy Shield and on the scenario applicable to current data transfers to the United States.
I had already covered in a previous blog post, the breaking news about the positive conclusion of the negotiations between the European Commission and the United States on the scheme for the transfer of personal data between the European Union and the US, the Privacy Shield or Safe Harbor 2.0.
What is the position of the WP29 on the Privacy Shield
The Article 29 Working Party, whose members are the data protection authorities of all the EU Member States, issued a press release where it welcomed the Privacy Shield. But it also held that
stands ready to analyse the result of the negotiations in the light of the European essential guarantees […] It will especially have to consider if its concerns regarding the U.S. legal framework can be alleviated following the introduction of the EU-U.S. Privacy Shield.
In particular, the WP29 considered 4 essential guarantees to be met by new scheme in order to be compliant with EU principles following the decision of the European Court of Justice that invalidated the Safe Harbor
- Processing should be based on clear, precise and accessible rules;
- Necessity and proportionality with regard to the legitimate objectives pursued need to be
- An independent oversight mechanism should exist, that is both effective and impartial;
- Effective remedies need to be available to the individual: anyone should have the right to
defend her/his rights before an independent body.
Based on the above it seems that the WP29 has not yet validated the Privacy Shield and the final outcome of the negotiations is still pending.
What happens to the current data transfers?
Pending the finalization of the approval of the Privacy Shield, the Article 29 Working Party confirmed that the Safe Harbor cannot be used as legal basis for data transfers to the United States. But what really matters is that
- After the review of the documentation relating to the Privacy Shield, the WP29 will assess whether transfer mechanisms, such as Standard Contractual Clauses and Binding Corporate Rules, can still be used for personal data transfers to the U.S., while
- In the meantime, the WP29 considers that this is still the case for existing transfer mechanisms.
Therefore companies relying of the Standard Contractual Clauses or the Binding Corporate Rules for data transfers to the United States “should” be safe.