On April 13, 2016, the body of European Data Protection Authorities (DPAs)—the "Article 29 Working Party" (WP29)—issued its opinion on the new EU-U.S. Privacy Shield.1 The WP29 acknowledged that progress has been made with the Privacy Shield, but called for several significant changes to the shield before it can be found to provide protection that is "essentially equivalent" to EU data protection law. Importantly, the WP29 also concluded that it will not examine the validity of EU Model Contracts and Binding Corporate Rules (BCRs) until after an adequacy determination has been made regarding the Privacy Shield. Those data transfer mechanisms remain valid for now.
The WP29 opinion is not legally binding, but its issuance is a key step on the road to formal adoption of the Privacy Shield. The opinion holds important political value, as it gives an indication as to how DPAs would evaluate data transfers made under the Privacy Shield. If ultimately approved by the EU Commission, the Privacy Shield will provide a legal basis for data transfers from the EU to the U.S.
More information on the Safe Harbor framework and Schrems can be found here.
Background
The Privacy Shield was negotiated by the EU Commission and the U.S. Department of Commerce to provide a legal basis for companies in the U.S. to receive personal data from the EU, in compliance with EU data transfer requirements. It was announced by the EU and U.S. on February 2, 2016, as a replacement for the Safe Harbor framework that was invalidated by the EU Court of Justice (CJEU) in its Schrems judgment of October 6, 2015.2 The Privacy Shield documentation that the WP29 opined on was published shortly afterwards.3 More information on the Privacy Shield documentation can be found here.
Key Points of the WP29 Opinion
The following are some of the key takeaways:
Changes to the Privacy Shield
The WP29 finds that the Privacy Shield generally improves the level of protection for EU citizens' personal data compared to the invalidated Safe Harbor framework. However, the WP29 calls on the negotiators of the Privacy Shield to make the following improvements before the shield can be deemed acceptable:
EU Model Contracts and BCRs Are Still Valid
After the invalidation of the Safe Harbor by the Schrems judgment, the WP29 announced that it would examine the implications of the judgment for other data transfer mechanisms, i.e., the EU Model Contracts and BCRs. However, the WP29 stated today that it will wait to make that assessment until the EU Commission has adopted its "adequacy decision" to give effect to the Privacy Shield. During the press conference, Ms. Falque-Pierrotin, chair of the WP29, said that for now, EU Model Contracts and BCRs are still valid instruments to legitimize international data transfers of EU personal data.
Next Steps
The WP29's approval is not a prerequisite for the formal adoption of the Privacy Shield, but it has important political value. The WP29 highlights the bases on which the Privacy Shield may be challenged, if it is adopted in its current form. The Privacy Shield will now be reviewed by a committee of representatives of the EU member states (i.e., the Article 31 Committee) before being presented to the College of EU Commissioners for final approval. According to the WP29, this is expected to occur in June 2016 or September 2016. The U.S. government will work in parallel on the practical implementation of the Privacy Shield.
We will continue to monitor related developments closely and update you on any significant news.
Wilson Sonsini Goodrich & Rosati routinely helps clients manage risks related to the enforcement of privacy and data protection laws globally, along with advising clients on EU privacy and data security issues. For more information, please contact Cédric Burton, Christopher Kuner, Lydia Parnes, Michael Rubin, Chris Olsen, or another member of the firm's privacy and data protection practice.
Sarah Cadiot, Sára G. Hoffman, and Laura De Boel contributed to the preparation of this WSGR Alert.