By Ulrich Wuermeling, Gail Crawford and Jennifer Archie
Earlier this week, the European Commission announced that a “political” agreement has been reached on a new framework for data flows from the EU to the US. The announcement highlights a few changes from the old Safe Harbor regime, such as more direct and active oversight by US regulators, more stringent privacy protections, and establishing an ombudsman at the State Department for EU citizens who wish to complain about data protection matters. However, as a legal and compliance matter, US companies who previously relied upon Safe Harbor to transfer EU data take significant compliance risk if they do nothing in anticipation of newly branded EU-US Privacy Shield framework being formally approved, given it is not yet documented and will be subject to review by the EU data protection supervisory authorities in the so-called Article 29 Working Party as well as representatives of the Member States and the European Parliament.
Following the announcement of the political agreement, the Article 29 Working Party published a Statement regarding the EU-US Privacy Shield arrangement on February 3rd. The Statement does not expressly extend the grace period for enforcement that ended on January 31st, meaning regulators may start taking enforcement action against EU companies that still rely on Safe Harbor. The Article 29 Working Party stresses that transfers of personal data to the US must not take place on the basis of the invalidated Safe Harbor decision and that national authorities will deal with related cases and complaints on a case-by-case basis. Companies that were hoping that Safe Harbor II would mean they did not need to look at alternatives, can take little comfort from the current state of play and must endure a period of uncertainty. There is currently no certainty as to when the new EU-US Privacy Shield will be in place, or indeed whether it will be deemed adequate.
The Article 29 Working Party has requested full documentation on the EU-US Privacy Shield to be provided for review by the end of February 2016. Under the proposed EU-US Privacy Shield, the US administration intends to commit in letters to provide for additional protection for data transferred from the EU to the US. Even if the Article 29 Working Party considers the EU-US Privacy Shield proposal sufficient to pass an adequacy decision allowing data transfers to take place, the finalization of the new arrangement will take time.
In the interim, the Article 29 Working Party confirms other instruments (such as Model Contracts or Binding Corporate Rules) can still be used for data transfers to the US, but also reserves the right to consider further whether these instruments can still be used in the future. However, in evaluating the adequacy of any of these instruments, the authorities will have to comply with the Schrems Judgment which clarifies the powers of the authorities by making clear that only the Court of Justice is entitled to invalidate adequacy decisions of the European Commission. Any challenge to an adequacy decision in front of the Court of Justice would take several years as the issue needs to come before national courts and then be referred by a national court to the Court of Justice.
Therefore, the options of the authorities are legally limited. In countries where Model Contracts have to be authorized by supervisory authorities (such as Austria, Bulgaria, Cyprus, Denmark, Estonia, France, Lithuania, Luxembourg, Malta, Poland, Romania, Slovenia and Spain) the authorizations might be delayed or rejected. The European Commission’s view is that the supervisory authorities are not entitled to do so, but it would take time to clarify the issue through court proceedings.
Some supervisory authorities (such as the data protection supervisory authority in Schleswig-Holstein, Germany) might also take the view that companies do not comply with the provisions of the Model Contracts if the data is subjected to overreaching Government access without judicial redress in the receiving country. This risk most acutely impacts companies such as telecommunications, social media, or internet service providers who more routinely receive national security or law enforcement requests for personal data. In the US, European data subjects have limited or no rights to judicial redress under current laws. In any event, the risk ought reasonably to be mitigated by the fact that Government access has been deemed acceptable by the European Commission when it made the relevant adequacy decisions on Model Contracts.
Taking the present state-of-play into account, Model Contracts might not be a long-term solution, but provide the best alternative to Safe Harbor available for the time being. EU companies that continue to rely on the invalidated Safe Harbor framework are at risk of being subjected to enforcement actions by their respective data protection authority.