Wait until April before relying on Privacy Shield, EU privacy watchdogs warn

Binding corporate rules and model contract clauses are OK for now, but may not be later

isabelle falque pierrotin in brussels

Isabelle Falque-Pierrotin, chairwoman of the Article 29 Working Party, at a press conference in Brussels on Feb. 3, 2016.

Credit: Peter Sayer

Businesses that need to transfer European Union citizens' personal data to the U.S. should wait until at least mid-April before relying on the Privacy Shield to provide legal protection -- and in the meantime, they shouldn't count too much on alternative mechanisms for legalizing such transfers, Europe's data protection authorities warned Wednesday.

April is when the DPAs hope to have concluded their legal analysis of the replacement for Safe Harbor that was unveiled on Tuesday. But that time frame is contingent on the European Commission providing them with the necessary documents within the three weeks it has promised, according to the head of the Article 29 Working Party, the EU body representing national data protection authorities (DPAs). That analysis will also consider alternative transfer mechanisms such as binding corporate rules and model contract clauses.

Privacy Shield is intended to fix problems the Court of Justice of the European Union identified in the Safe Harbor framework, when it ruled its privacy protections inadequate last October. Privacy Shield, like Safe Harbor before it, is supposed to provide EU citizens with a guarantee that their personal information will benefit from the same privacy protections if processed in the U.S. as it would have at home.

But so much about Privacy Shield remains undefined, and so few of the documents underpinning what is defined have been made public, that DPAs are unable to draw conclusions about its legality, said Isabelle Falque-Pierrotin, chair of the working party and also president of the French National Commission on Computing and Liberty (CNIL).

"I can't tell you what will be our final conclusion on the new arrangement. We don't have any documents," she said at a news conference in Brussels Wednesday afternoon.

One thing is still clear: Safe Harbor is finished, and companies still relying on it to justify transatlantic data transfers are clearly operating illegally, she said.

So what are companies to do in the meantime?

Back in October, the European Commission said the demise of the Safe Harbor agreement wasn't a big deal as companies could simply adopt one of the alternative mechanisms provided for in the 1995 Data Protection Directive to make their transatlantic data transfers legal.

The working party, however, expressed concern that these mechanisms might suffer from the same shortcomings the court found in the Safe Harbor framework, particularly the lack of protection from mass surveillance by intelligence services, and promised to conduct an in-depth analysis of the October ruling's effects on them.

A few hours before the European Commission's announcement of Privacy Shield, that analysis was complete. But, said Falque-Pierrotin, "The announcement is a new fact. It changes the analysis."

Until they have analyzed the documents on which Privacy Shield is based, she said, the DPAs will give the benefit of the doubt to companies relying on alternative data transfer mechanisms such as binding corporate rules and model contract clauses. 

Relying on Safe Harbor alone, though, is not a good idea: Hamburg's Commissioner for Data Protection and Freedom of Information Johannes Caspar, also attending the Brussels event, said his office has asked about 40 companies for information concerning their transfer of data to the U.S. as it sought to ensure they had complied with the October court ruling.

John Higgins, director-general of industry lobby group Digital Europe, welcomed the decision on binding corporate rules, saying it "provided businesses operating across all sectors of the economy with the reassurance and legal certainty they needed."

However, in some ways it has only prolonged the uncertainty about whether those mechanisms can be relied on for another three months, because the DPAs' initial conclusion was not positive.

"We have concerns, in particular with the scope of the surveillance and the remedies," Falque-Pierrotin said, suggesting that, before the Commission's announcement of Privacy Shield on Tuesday, the DPAs would have been inclined not to allow companies to transfer data using binding corporate rules or model contract clauses.

"Until we have completed the analysis of the possible consequences of the new arrangements on the legality of the other transfer tools, we consider it is still possible to use the existing transfer mechanisms," she said.

The DPAs will wait for the European Commission to supply the documents on which Privacy Shield is based, she said -- but "not for too long."

Asked whether the documents should be made public, she said: "It's up to the Commission to decide, but for transparency it's important that these commitments be as public as possible."

ITWorld DealPost: The best in tech deals and discounts.