On January 28th, we published an article entitled “Safe Harbor: how does its revocation affect European companies?” detalling the legal insecurity of personal data transfers between the European Union and the United States that individuals are now facing. The article offered recommendations for European companies, with the aim to mitigate any difficulty.
It's been two and a half months since then and, although the European Commission announced on February 2nd its intention to reach an agreement between the U.S. and the EU (known as the "US-EU Privacy Shield," hereinafter referred to as “the agreement”), to date there continues to be the same level of legal uncertainty, since legislation relevant to the international transfer of European data to companies located in the U.S. still does not exist.
Below are the most important aspects of the agreement that will aid an analysis of the situation described in the previous paragraph.
What was actually published on February 2nd was a simple agreement of intent of the so-called "US-EU Privacy Shield" and currently the US Department of Commerce are in talks with the European Commission to negotiate and draft the full content of the agreement.
There is currently no legal basis for the international transfer of data between companies located in the U.S. and the EU. In this regard, the only data protection agencies in Europe that could be considered legal are those that adhere to data protection clauses or binding corporate rules, and they instantly become illegal if they take one step outside of the afore-mentioned scenario.
No full agreement has been reached between the U.S. and the EU yet. To date, only a draft text in English has been circulated, reflecting the possible issues agreed upon by both parties, as well as establishing a general framework that will regulate the final pact between the U.S. and the EU. A FactSheet review published by the European Commission lists the different elements that are likely to feature in the agreement. The most important ones are:
a) At a commercial level, strict obligations include:
b) Guaranteed transparency on the part of the U.S. government regarding data access:
c) Resources that must be implemented by companies:
d) The necessity of a mechanism for joint annual review:
The Agreement will be applicable to the Data Protection Regulation, specifically to the paragraph regarding international transfers. This is why the US-EU Privacy Shield must be consistent with the data protection rules that have recently been approved..
The Regulation and Decision that implements the content of the regulation, form part of the same package of policy measures required in the EU to ensure the treatment and protection Euroepean citizens’ data.
The Working Party of Article 29 (hereafter referred to as “Art.29 WP”) is an independent body that offers consulting and advisory functions to entities of the European Union on issues related to the privacy and treatment of data protection. Art.29 WP has a crucial role to play in the development of the US-EU Privacy Shield, as it is formed by the 28 European data protection agencies who seek practical ways of resolving privacy and data protection issues. Art.29 WP has the function of impartially reviewing US-EU Privacy Shield’s contents and submitting comments on the degree to which the Agreement’s implementation accords with European standards and principles.
On Wednesday April 13th, Art.29 WP president Isabell Falque-Pierrotin issued a statement on the Agreement’s draft content, indicating that although it represents a breakthrough from the Safe Harbor days, there are still many important issues within the Agreement that need to be reviewed and clarified by the European Commission and the U.S. Department of Commerce.
Falque-Pierrotin stated the following:
The statements issued by Art.29 WP are not binding either by the European Commission nor the U.S.. However, in the coming months these entities will be seeking a solution to bring the US-EU Privacy Shield in line with the guidelines and comments submitted by Art.29 WP. It is estimated to be some months before such revisions are made, leaving European citizens no choice but to carry on their operations without a definitive agreement governing transatlantic data transfers in place.
Art.29 WP statement confirms the legal uncertainty that has caused Safe Harbor to be called into question, as well as the precarious nature of the attempted US-EU Privacy Shield. This situation has already created a great deal of commercial uncertainty, since Europeans do not have any kind of legal guarantee when making international data transfers to the US, and such transfers are still being made nonetheless.
On Wednesday April 13th, Art.29 WP indicated that, while the Agreement is pending, it is recommended that international data transfer between the U.S. and the EU are carried out based on the most relevant data protection clauses in force or binding corporate rules. It should however be mentioned that the European data protection authorities are entitled to start investigations against companies that violate European data protection legislation at any time they deem appropriate.
The "draft Agreement" must be reviewed and adapted in coming months by the European Commission and the U.S. Department of Commerce according to observations discussed by Art.29 WP. In this context, European companies have been advised to heed the recommendations made at the end of our blog post published on January 28th.
 |
This is a guest posts by Ana Martiza Vega Suárez. |
RELATED POSTS
