The European Court of Justice decision to declare Safe Harbor invalid (see article here) has come a long way and a temporary outcome has been settled.
Following the judgement handed out by the Court on the Schrems vs Facebook, the Article 29 Working Party (Art. 29 WP), a group of various “European Commissions for Data Protection and Liberties” (CNIL), had given the European Commission a three-month delay before seeking legal action against companies that transferred data to the US based on the Safe Harbor Agreement.
That delay expired on February 1st 2016, right before Art. 29 WP’s meeting who had to comment the alternatives that could be used as a base for data transfer to the US.
Agreement project « Privacy Shield »
To conclude this whole drama, the Commissioner Vera Jourova announced on February 2nd 2016 that the United States had come to an agreement on the new framework for data transfer baptized the EU-US “Privacy Shield”. Actually, it is rather an engagement on suggesting an Agreement because they give themselves 3 months to draw it. In short, the Agreement’s project foresees the same rules as the previous agreement but also includes mechanisms that should help citizens giving access to American Justice to contest the use of particular personal data.
Article 29 Working Party answers
As soon as the agreement was announced, voices were raised to question the validity of this agreement. Particularly the Art. 29 WP who asks for more information on the agreement in order to examine its validity with regards to the Schrems case.
Read article here
In brief, it states that the companies that based their data transfer to the US only on Safe Harbor are acting unlawfully. The legality of other instruments (standardized clauses, individual agreements…) is still submitted to review. Therefore, the Article 29 Working Party committed to proactively initiate actions against companies transferring data to the US until they can pronounce themselves on the validity of the new Privacy Shield agreement.
How about transatlantic data flow?
The companies that would want to transfer data to the US have a few weeks of respite, the time that the working group delivers its answer. Major American players have immediately bragged about it on social media. But the devil is in the details. The Article 29 Working Party specifically says that during these weeks of respite, they will take into account the filed complaints and treat them on a case-by-case basis. This means that if an individual or a competitor considers that a data transfer is operated only on basis of the Safe Harbour agreement, still invalid, knock on the CNIL’s door, the latter can take action.
The juridical security companies seek hangs by a thread…
What should companies do?
Again, the safest way to operate is to opt for European providers for European consumers’ data treatment on European Soil. Further, important American players have measured the extent of the problem and have decided to transfer their data centres to Europe to avoid data transfer restriction.
Need more info? Contact us!