Menu
Wait until April before relying on Privacy Shield, EU privacy watchdogs warn

Wait until April before relying on Privacy Shield, EU privacy watchdogs warn

Binding corporate rules and model contract clauses are OK for now, but may not be later

Businesses that need to transfer European Union citizens' personal data to the U.S. should wait until at least mid-April before relying on the Privacy Shield to provide legal protection -- and in the meantime, they shouldn't count too much on alternative mechanisms for legalizing such transfers, Europe's data protection authorities warned Wednesday.

April is when the DPAs hope to have concluded their legal analysis of the replacement for Safe Harbor that was unveiled on Tuesday. But that time frame is contingent on the European Commission providing them with the necessary documents within the three weeks it has promised, according to the head of the Article 29 Working Party, the EU body representing national data protection authorities (DPAs). That analysis will also consider alternative transfer mechanisms such as binding corporate rules and model contract clauses.

Privacy Shield is intended to fix problems the Court of Justice of the European Union identified in the Safe Harbor framework, when it ruled its privacy protections inadequate last October. Privacy Shield, like Safe Harbor before it, is supposed to provide EU citizens with a guarantee that their personal information will benefit from the same privacy protections if processed in the U.S. as it would have at home.

But so much about Privacy Shield remains undefined, and so few of the documents underpinning what is defined have been made public, that DPAs are unable to draw conclusions about its legality, said Isabelle Falque-Pierrotin, chair of the working party and also president of the French National Commission on Computing and Liberty (CNIL).

"I can't tell you what will be our final conclusion on the new arrangement. We don't have any documents," she said at a news conference in Brussels Wednesday afternoon.

One thing is still clear: Safe Harbor is finished, and companies still relying on it to justify transatlantic data transfers are clearly operating illegally, she said.

So what are companies to do in the meantime?

Back in October, the European Commission said the demise of the Safe Harbor agreement wasn't a big deal as companies could simply adopt one of the alternative mechanisms provided for in the 1995 Data Protection Directive to make their transatlantic data transfers legal.

The working party, however, expressed concern that these mechanisms might suffer from the same shortcomings the court found in the Safe Harbor framework, particularly the lack of protection from mass surveillance by intelligence services, and promised to conduct an in-depth analysis of the October ruling's effects on them.

A few hours before the European Commission's announcement of Privacy Shield, that analysis was complete. But, said Falque-Pierrotin, "The announcement is a new fact. It changes the analysis."

Until they have analyzed the documents on which Privacy Shield is based, she said, the DPAs will give the benefit of the doubt to companies relying on alternative data transfer mechanisms such as binding corporate rules and model contract clauses. 

Relying on Safe Harbor alone, though, is not a good idea: Hamburg's Commissioner for Data Protection and Freedom of Information Johannes Caspar, also attending the Brussels event, said his office has asked about 40 companies for information concerning their transfer of data to the U.S. as it sought to ensure they had complied with the October court ruling.

John Higgins, director-general of industry lobby group Digital Europe, welcomed the decision on binding corporate rules, saying it "provided businesses operating across all sectors of the economy with the reassurance and legal certainty they needed."

However, in some ways it has only prolonged the uncertainty about whether those mechanisms can be relied on for another three months, because the DPAs' initial conclusion was not positive.

"We have concerns, in particular with the scope of the surveillance and the remedies," Falque-Pierrotin said, suggesting that, before the Commission's announcement of Privacy Shield on Tuesday, the DPAs would have been inclined not to allow companies to transfer data using binding corporate rules or model contract clauses.

"Until we have completed the analysis of the possible consequences of the new arrangements on the legality of the other transfer tools, we consider it is still possible to use the existing transfer mechanisms," she said.

The DPAs will wait for the European Commission to supply the documents on which Privacy Shield is based, she said -- but "not for too long."

Asked whether the documents should be made public, she said: "It's up to the Commission to decide, but for transparency it's important that these commitments be as public as possible."

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Slideshows

Top 50 defining moments of the New Zealand channel in 2016

Top 50 defining moments of the New Zealand channel in 2016

Reseller News looks back on a tumultuous 12 months for the New Zealand channel, assessing the fallout from a year of sizeable industry change. Whether it be local or global mergers and acquisitions, distribution deals or job changes, the channel that started the year differs somewhat to the one set to finish it - Reseller News assesses the key moments that made 2016.​

Top 50 defining moments of the New Zealand channel in 2016
​Hewlett Packard Enterprise honours high achieving NZ channel

​Hewlett Packard Enterprise honours high achieving NZ channel

Hewlett Packard Enterprise honoured its top performing Kiwi partners at the second running of its HPE Partner Awards in New Zealand, held at a glitzy ceremony in Auckland. Recognising excellence across eight categories - from distributors to resellers - the tech giant celebrated its first year as a standalone company, following its official split from HP in 2015.

​Hewlett Packard Enterprise honours high achieving NZ channel
Nutanix treats channel partners to Christmas cruise

Nutanix treats channel partners to Christmas cruise

Nutanix recently took to the seas for a Christmas Cruise around Sydney Harbour with its Australia and New Zealand staff, customers and partners to celebrate a stellar year for the vendor. With the sun out, they were all smiles and mingled over drinks and food.

Nutanix treats channel partners to Christmas cruise
Show Comments