Data ProtectionPrivacy

WP29 raises concerns on EU-US Privacy Shield

The Article 29 Working Party expressed its position on the Privacy Shield and on the scenario applicable to current data transfers to the United States.

I had already covered in a previous blog post, the breaking news about the positive conclusion of the negotiations between the European Commission and the United States on the scheme for the transfer of personal data between the European Union and the US, the Privacy Shield or Safe Harbor 2.0.

What is the position of the WP29 on the Privacy Shield

The Article 29 Working Party, whose members are the data protection authorities of all the EU Member States, issued a press release where it welcomed the Privacy Shield. But it also held that

stands ready to analyse the result of the negotiations in the light of the European essential guarantees […] It will especially have to consider if its concerns regarding the U.S. legal framework can be alleviated following the introduction of the EU-U.S. Privacy Shield.

In particular, the WP29 considered 4 essential guarantees to be met by new scheme in order to be compliant with EU principles following the decision of the European Court of Justice that invalidated the Safe Harbor

  1. Processing should be based on clear, precise and accessible rules;
  2. Necessity and proportionality with regard to the legitimate objectives pursued need to be
  3. An independent oversight mechanism should exist, that is both effective and impartial;
  4. Effective remedies need to be available to the individual: anyone should have the right to
    defend her/his rights before an independent body.

Based on the above it seems that the WP29 has not yet validated the Privacy Shield and the final outcome of the negotiations is still pending.

What happens to the current data transfers?

Pending the finalization of the approval of the Privacy Shield, the Article 29 Working Party confirmed that the Safe Harbor cannot be used as legal basis for data transfers to the United States. But what really matters is that

  • After the review of the documentation relating to the Privacy Shield, the WP29 will assess whether transfer mechanisms, such as Standard Contractual Clauses and Binding Corporate Rules, can still be used for personal data transfers to the U.S., while
  • In the meantime, the WP29 considers that this is still the case for existing transfer mechanisms.

Therefore companies relying of the Standard Contractual Clauses or the Binding Corporate Rules for data transfers to the United States “should” be safe.


Don't miss our weekly insights

Show More

Giulio Coraggio

I am the head of the Italian Technology sector and the global head of the IoT and Gaming and Gambling groups at the world-leading law firm DLA Piper. IoT and artificial intelligence influencer and FinTech and blockchain expert, finding solutions to what's next for our clients' success.

Related Articles

Back to top button