Out-Law News 6 min. read

Deal on EU-US Privacy Shield leads EU watchdogs to extend moratorium on data transfers enforcement action


Businesses can continue to rely on model contract clauses and binding corporate rules (BCRs) as a basis for sending personal data from the EU to the US, until the middle of April at least, without fear of being the subject of enforcement action, the head of a body of European data protection authorities has said.

Isabelle Falque-Pierrotin, chair of the Article 29 Working Party, said all data protection authorities across the EU had agreed to extend the current moratorium on enforcement action regarding EU-US data transfers until they have had time to scrutinise a new framework to facilitate such transfers, the EU-US Privacy Shield, that was agreed by EU and US officials on Tuesday.

However, Falque-Pierrotin said that companies that relied on the previous EU-US safe harbour agreement as a basis for transferring personal data over the Atlantic could be subject to enforcement action now if they still rely on compliance with the terms of that agreement as demonstrating their compliance with EU data protection laws on data transfers. The EU-US safe harbour framework was ruled as invalid by the EU's highest court in October last year.

"If companies are using the former safe harbour framework it is illegal because this has clearly been invalidated by the judges [at the Court of Justice of the EU (CJEU)]," Falque-Pierrotin said in a press conference on Wednesday afternoon.

"We will allow data controllers to use the [alternative] existing transfer tools until we have conducted and finalised the assessment of the new [Privacy Shield]," she said.

On establishing its latest position on enforcement, she said the DPAs have tried to balance the fact there is a "political will" for a reformed deal around EU-US data transfers but little documentation to scrutinise with the risk of taking "too rigid" a stance or giving the go-ahead to data transfers on "illegitimate grounds".

Falque-Pierrotin said the Article 29 Working Party expects to receive documents relevant to the Privacy Shield in time for the Working Party to review them at a meeting scheduled for the end of March. She said it is likely to be mid-to-late April before the Working Party is ready to reach a view on whether the Privacy Shield offers data protection equivalent to EU standards when data is transferred to the US. She said that it will be at that point too that the Working Party will be in a position to offer a clearer view on the legitimacy of businesses' continued use of alternative mechanisms for data transfers, such as model clauses and BCRs.

Falque-Pierrotin said a relevant issue the Working Party will scrutinise is whether commitments the US government has made regarding the extent of access their law enforcement and intelligence agencies will have to EU citizens' data respect principles of proportionality and necessity enshrined in EU law.

"These commitments [made by the US government on access to data under the Privacy Shield] would need to apply to the other tools [used for data transfers]," Falque-Pierrotin said.

Falque-Pierrotin said it is difficult for Europe's data protection authorities to come to an immediate view on the Privacy Shield and how its underlying measures affect alternative data transfer tools as they have yet to see the detail of the proposals.

She said, though, that she does not think a proposed new US law to give EU citizens new rights of redress for mishandling of data in the US would address concerns the CJEU had raised in its ruling in relation to EU citizen's redress because the Judicial Redress Bill would not apply to cases concerning access to data for national security purposes. In addition, Falque-Pierrotin said that "the legal form" of the Privacy Shield has not yet been made clear.

Business groups have welcomed the agreement of the new Privacy Shield. Many organisations electronically transfer personal data from the EU for processing on servers based in the US as part of everyday business operations.

The European Commission said that the new data transfers framework, which has still to be completely finalised, "reflects the requirements" set out by the CJEU in its October 2015 judgment. It said the EU-US Privacy Shield "will protect the fundamental rights of Europeans where their data is transferred to the United States and ensure legal certainty for businesses".

However, the deal has been criticised by prominent privacy campaigners. MEP Jan Phillip Albrecht, who has led the European Parliament's negotiations on the new General Data Protection Regulation in the EU, described the deal as "a joke".

Austrian student Max Schrems, whose legal action against Ireland's data protection authority led to the CJEU invalidating the previous safe harbour arrangements, said that the new deal might not address concerns about US authorities' "mass surveillance" activities. He also raised concerns that the new framework will be formalised on an 'exchange of letters' basis and not "by means of ‘domestic law or international commitments’".

EU data protection laws enable the European Commission to issue a decision that allows for personal data to be transferred to a country outside of the European Economic Area (EEA) if that country ‘ensures’ an adequate level of protection by reason of its domestic law or its international commitments. In its ruling the CJEU said that a country's laws cannot ensure an adequate level of protection if those laws permit "public authorities to have access on a generalised basis to the content of electronic communications."  

Schrems said: "I am … not sure if this system will stand the test before the Court of Justice. There will be clearly people that will challenge this – depending on the final text I may well be one of them."

Data protection law expert Marc Dautlich of Pinsent Masons, the law firm behind Out-Law.com, said: "Once it becomes available, businesses will want to be cautious about signing up to Privacy Shield given the potential legal challenges that special interest groups have already suggested they will be considering."

However, the European Commission said that the EU-US Privacy Shield would place "strong obligations on companies handling Europeans' personal data and robust enforcement".

"US companies wishing to import personal data from Europe will need to commit to robust obligations on how personal data is processed and individual rights are guaranteed," the Commission said. "The Department of Commerce will monitor that companies publish their commitments, which makes them enforceable under US law by the US Federal Trade Commission. In addition, any company handling human resources data from Europe has to commit to comply with decisions by European DPAs (data protection authorities)."

The Commission also said that it has received "written assurances" from the US that US law enforcement and national security agencies' access to personal data about EU citizens "will be subject to clear limitations, safeguards and oversight mechanisms".

"These exceptions must be used only to the extent necessary and proportionate," the Commission said. "The US has ruled out indiscriminate mass surveillance on the personal data transferred to the US under the new arrangement. To regularly monitor the functioning of the arrangement there will be an annual joint review, which will also include the issue of national security access. The European Commission and the US Department of Commerce will conduct the review and invite national intelligence experts from the US and European data protection authorities to it."

EU citizens will also gain rights to redress in the US if they feel "their data has been misused under the new arrangement", the Commission said.

"Companies have deadlines to reply to complaints," it said. "European DPAs can refer complaints to the Department of Commerce and the Federal Trade Commission. In addition, alternative dispute resolution will be free of charge. For complaints on possible access by national intelligence authorities, a new ombudsperson will be created."

The ability to transfer personal data outside the EEA is restricted under the EU's Data Protection Directive. Only where "adequate protections" are in place, or where the destination country has been pre-approved by the European Commission as having adequate data protection, can data transfers go ahead.

The EU-US Privacy Shield will only be operational when the European Commission adopts a so-called adequacy decision and when the US completes the steps it needs to take to implement the new framework.

The Commission said a draft adequacy decision is to be prepared "in the coming weeks" and will go before the Article 29 Working Party and representatives from the national governments of EU member states for scrutiny before it is put before EU commissioners for adoption. It said that the US would "in the meantime … make the necessary preparations to put in place the new framework, monitoring mechanisms and new Ombudsman".

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.