This week the Article 29 Working Party (WP29) met to discuss the consequences following the CJEU judgment in the Schrems case for international transfers.
The conclusion of negotiations between the EU and the United States sees the introduction of a “EU-U.S. Privacy Shield”, announced in time to meet the deadline set by the WP29 back in October.
The proposed new framework will replace the defunct Safe Harbour sharing agreement with the aim of protecting the rights of Europeans whose data is shared with/transferred to the United States.
The WP29 held hearings and discussions with academics, businesses representatives, senior government officials and civil society in order to gain a full understanding of the current situation regarding the transfer of personal information from the EU to the United States.
The WP29 now awaits the receipt of the relevant paperwork precisely detailing the content and legal bindingness of the Safety Shield agreement, and has called for the Commission to provide this by the end of February. It will then assess whether the provisions alleviate its concerns regarding the U.S. legal framework and respect the powers of data protection authorities as laid down in Article 28 of Directive 95/46/EC.
The WP29 has conducted its assessment in light of the European jurisprudence on fundamental rights, which sets four essential guarantees for intelligence activities.
Jane Finlayson-Brown, Data Protection partner, shared her thoughts on the new framework and advised that although it is a positive move, there is still more to be done. She told Infosecurity:
“The Article 29 Working Party’s comments today signals continued uncertainty on cross border transfers, pending analysis of the new Privacy Shield.”
“In itself the Privacy Shield is good news, but it is clear that much work needs to be done by the Commission and the U.S. to satisfy national data protection authorities that it addresses the concerns raised through the Schrems judgement in a legally binding manner.”
Eduardo Ustaran, partner in the global Privacy and Information Management practice of Hogan Lovells, agrees:
“This statement extends the uncertainty under which we have lived since October for another two months. In the meantime, from an enforcement perspective, the Working Party has also confirmed that EU data protection authorities will deal with related cases and complaints on a case-by-case basis,” he said.
Photo © ktsdesign