Privacy & Information Security Law Blog

On February 3, 2016, the Article 29 Working Party (the “Working Party”) issued a statement on the consequences of the ruling of the Court of Justice of the European Union (the “CJEU”) in the Schrems case invalidating the European Commission’s Safe Harbor Decision.

The statement follows several weeks of analysis of the other data transfer mechanisms (i.e., the EU Standard Contractual Clauses and Binding Corporate Rules) in light of the CJEU’s judgment, as well as the assessment of the current legal framework, practices of U.S. intelligence services and the conditions under which it allows interferences to the EU right of privacy and data protection.

Four Essential Guarantees for Intelligence Activities

The assessment of the Working Party is based on four essential guarantees, arising from European case law on fundamental rights:

• The processing of personal data should be based on clear, precise and accessible rules, that allow individuals to understand the locations where their data is transferred.
• The necessity and proportionality of the processing and transfer of personal data must be demonstrated. A balance should be found between the rights of individuals and the purposes for which data are collected and accessed in the context of national security.
• An effective, impartial and independent oversight mechanism should exist to monitor the collection of and access to personal data.
• Individuals must have access to effective remedies to defend their rights.

These four guarantees must be respected when transferring personal data not only to the U.S., but also to other third countries, as well as to EU Member States.

Assessment of EU-U.S. Privacy Shield

The Working Party states that it still has concerns that the U.S. legal framework does not meet the four guarantees identified above and in particular, with regard to the scope and remedies available to individuals.

The Working Party will therefore analyze the agreement that has been reached between the European Commission and the U.S., and assess whether the EU-U.S. Privacy Shield satisfies the Working Party’s four concerns with respect to intelligence activities. In addition, the Working Party also will assess whether this new arrangement provides legal certainty for the other data transfer mechanisms.

The Working Party stated that, in any event, transfers of personal data to the U.S. may no longer take place on the basis of the invalidated Safe Harbor Decision. In the meantime, companies may still rely on the other data transfer mechanisms. However, national data protection authorities will handle any related cases and complaints on a case-by-case basis.

Next Steps and Timing

The Working Party asked the European Commission to deliver all documents on the EU-U.S. Privacy Shield to the Working Party by the end of February. An extraordinary plenary meeting of the Working Party will then be organized around the end of March. After this, the Working Party will consider whether the other data transfer mechanisms are still valid for transfers of personal data to the U.S. According to the Chair of the Working Party Isabelle Falque-Pierrotin, a final decision could be made by the end of April.