The European Union Court of Justice’s invalidation of the EU-USA Safe Harbor for data transfers between the two continents remains subject to question at the end of this week after the European Commission blew its January 31 deadline to reach a new Safe Harbor Agreement with the United States. As we’ve previously posted, the continued invalidated Safe Harbor, which permitted the transfer of data from the EU to the USA and US companies where such companies could prove adequate safeguards to protect the data according to rules under the 1995 EU Privacy Directive.
The European Commission set a deadline to enter a new Safe Harbor arrangement by January 31. But as of that date, no agreement with the US had yet been made. After the deadline for finalization passed, EU Justice, Consumers, and Gender Equality Commissioner Věra Jourová addressed the European Parliament’s LIBE Committee and stated that agreement was “close ... but additional effort is needed.”
Then, on Tuesday morning, Commissioner Jourová announced a new “Privacy Shield” agreement with the United States Department of Commerce that "will protect the fundamental rights of Europeans when their personal data is transferred to U.S. companies . . . For the first time ever, the United States has given the EU binding assurances that the access of public authorities for national security purposes will be subject to clear limitations, safeguards, and oversight mechanisms.”
But as of Wednesday morning, the Article 29 Chairwoman Isabelle Falque-Pierrotin stated: “We need documents in order to know precisely the content of the agreement” and “to assess whether the EU-U.S. Privacy Shield can answer to the wider concerns raised by the Schrems decision on data-transfer mechanisms.” The Department of Commerce also issued a fact sheet regarding the new Privacy Shield proposal. What is known at present is the Privacy Shield would expand the protections for data previously existing under the Safe Harbor by: (1) Requiring no indiscriminate surveillance by US authorities; (2) requiring continuous monitoring, through a proposed U.S. Ombudsman, whose office would monitor data transfers; and (3) by giving EU citizens a complaint and enforcement procedure that could be reviewed by EU Data Protection Authorities after internal company complaint procedures were exhausted.
For now, however, the Article 29 Working Party has stated that Binding Corporate Rules and Standard Contractual Clauses will remain effective for those companies using them for data transfers with the EU, at least for the next few months. The Working Party expects a final agreement on the Privacy Shield by the end of April. While it remains unclear what that Privacy Shield will ultimately look like, Ms. Falque-Pierrotin viewed the development of a US Ombudsman office to be a good thing: “It gives the possibility to convey complaints on delicate areas with intelligence services . . . Even in our country, we understand that national security is delicate. The ombudsperson has to be scrutinized and analyzed, but it’s a very good sign from the U.S. intelligence community to provide us with this. We’ll see how practically and clearly it will work.” It is quite possible that the European Court of Justice may invalidate the Privacy Shield in the same way it invalidated the Safe Harbor if it finds the protections of the shield ineffectual.