Companies advised to wait until April before relying on Privacy Shield
Businesses that need to transfer European Union citizens’ personal data to the US should wait until at least mid-April before relying on the Privacy Shield to provide legal protection — and in the meantime, they should not count too much on alternative mechanisms for legalising such transfers, Europe’s data protection authorities have warned.
“We have concerns, in particular with the scope of the surveillance and the remedies,” Isabelle Falque-Pierrotin, CNIL
April is when the DPAs hope to have concluded their legal analysis of the replacement for Safe Harbor that was unveiled. But that time frame is contingent on the European Commission providing them with the necessary documents within the three weeks it has promised, according to the head of the Article 29 Working Party, the EU body representing national data protection authorities (DPAs). That analysis will also consider alternative transfer mechanisms such as binding corporate rules and model contract clauses.
Privacy Shield is intended to fix problems the Court of Justice of the European Union identified in the Safe Harbor framework, when it ruled its privacy protections inadequate last October. Privacy Shield, like Safe Harbor before it, is supposed to provide EU citizens with a guarantee that their personal information will benefit from the same privacy protections if processed in the US as it would have at home.
But so much about Privacy Shield remains undefined, and so few of the documents underpinning what is defined have been made public, that DPAs are unable to draw conclusions about its legality, said Isabelle Falque-Pierrotin, chair of the working party and also president of the French National Commission on Computing and Liberty (CNIL).
“I can’t tell you what will be our final conclusion on the new arrangement. We don’t have any documents,” she said at a news conference in Brussels.
One thing is still clear: Safe Harbor is finished, and companies still relying on it to justify transatlantic data transfers are clearly operating illegally, she said.
So what is to be done in the meantime?
Back in October, the European Commission said the demise of the Safe Harbor agreement wasn’t a big deal as companies could simply adopt one of the alternative mechanisms provided for in the 1995 Data Protection Directive to make their transatlantic data transfers legal.
The working party, however, expressed concern that these mechanisms might suffer from the same shortcomings the court found in the Safe Harbor framework, particularly the lack of protection from mass surveillance by intelligence services, and promised to conduct an in-depth analysis of the October ruling’s effects on them.
A few hours before the European Commission’s announcement of Privacy Shield, that analysis was complete. But, said Falque-Pierrotin, “The announcement is a new fact. It changes the analysis.”
Until they have analysed the documents on which Privacy Shield is based, she said, the DPAs will give the benefit of the doubt to companies relying on alternative data transfer mechanisms such as binding corporate rules and model contract clauses.
Relying on Safe Harbor alone, though, is not a good idea: Hamburg’s Commissioner for Data Protection and Freedom of Information Johannes Caspar, also attending the Brussels event, said his office has asked about 40 companies for information concerning their transfer of data to the US as it sought to ensure they had complied with the October court ruling.
John Higgins, director-general of industry lobby group Digital Europe, welcomed the decision on binding corporate rules, saying it “provided businesses operating across all sectors of the economy with the reassurance and legal certainty they needed.”
However, in some ways it has only prolonged the uncertainty about whether those mechanisms can be relied on for another three months, because the DPAs’ initial conclusion was not positive.
“We have concerns, in particular with the scope of the surveillance and the remedies,” Falque-Pierrotin said, suggesting that, before the Commission’s announcement of Privacy Shield, the DPAs would have been inclined not to allow companies to transfer data using binding corporate rules or model contract clauses.
“Until we have completed the analysis of the possible consequences of the new arrangements on the legality of the other transfer tools, we consider it is still possible to use the existing transfer mechanisms,” she said.
The DPAs will wait for the European Commission to supply the documents on which Privacy Shield is based, she said — but “not for too long.”
Asked whether the documents should be made public, she said: “It’s up to the Commission to decide, but for transparency it’s important that these commitments be as public as possible.”
Peter Sayer, IDG News Service
Subscribers 0
Fans 0
Followers 0
Followers