Menu
Wait until April before relying on Privacy Shield, EU privacy watchdogs warn

Wait until April before relying on Privacy Shield, EU privacy watchdogs warn

Binding corporate rules and model contract clauses are OK for now, but may not be later

Businesses that need to transfer European Union citizens' personal data to the U.S. should wait until at least mid-April before relying on the Privacy Shield to provide legal protection -- and in the meantime, they shouldn't count too much on alternative mechanisms for legalizing such transfers, Europe's data protection authorities warned Wednesday.

April is when the DPAs hope to have concluded their legal analysis of the replacement for Safe Harbor that was unveiled on Tuesday. But that time frame is contingent on the European Commission providing them with the necessary documents within the three weeks it has promised, according to the head of the Article 29 Working Party, the EU body representing national data protection authorities (DPAs). That analysis will also consider alternative transfer mechanisms such as binding corporate rules and model contract clauses.

Privacy Shield is intended to fix problems the Court of Justice of the European Union identified in the Safe Harbor framework, when it ruled its privacy protections inadequate last October. Privacy Shield, like Safe Harbor before it, is supposed to provide EU citizens with a guarantee that their personal information will benefit from the same privacy protections if processed in the U.S. as it would have at home.

But so much about Privacy Shield remains undefined, and so few of the documents underpinning what is defined have been made public, that DPAs are unable to draw conclusions about its legality, said Isabelle Falque-Pierrotin, chair of the working party and also president of the French National Commission on Computing and Liberty (CNIL).

"I can't tell you what will be our final conclusion on the new arrangement. We don't have any documents," she said at a news conference in Brussels Wednesday afternoon.

One thing is still clear: Safe Harbor is finished, and companies still relying on it to justify transatlantic data transfers are clearly operating illegally, she said.

So what are companies to do in the meantime?

Back in October, the European Commission said the demise of the Safe Harbor agreement wasn't a big deal as companies could simply adopt one of the alternative mechanisms provided for in the 1995 Data Protection Directive to make their transatlantic data transfers legal.

The working party, however, expressed concern that these mechanisms might suffer from the same shortcomings the court found in the Safe Harbor framework, particularly the lack of protection from mass surveillance by intelligence services, and promised to conduct an in-depth analysis of the October ruling's effects on them.

A few hours before the European Commission's announcement of Privacy Shield, that analysis was complete. But, said Falque-Pierrotin, "The announcement is a new fact. It changes the analysis."

Until they have analyzed the documents on which Privacy Shield is based, she said, the DPAs will give the benefit of the doubt to companies relying on alternative data transfer mechanisms such as binding corporate rules and model contract clauses. 

Relying on Safe Harbor alone, though, is not a good idea: Hamburg's Commissioner for Data Protection and Freedom of Information Johannes Caspar, also attending the Brussels event, said his office has asked about 40 companies for information concerning their transfer of data to the U.S. as it sought to ensure they had complied with the October court ruling.

John Higgins, director-general of industry lobby group Digital Europe, welcomed the decision on binding corporate rules, saying it "provided businesses operating across all sectors of the economy with the reassurance and legal certainty they needed."

However, in some ways it has only prolonged the uncertainty about whether those mechanisms can be relied on for another three months, because the DPAs' initial conclusion was not positive.

"We have concerns, in particular with the scope of the surveillance and the remedies," Falque-Pierrotin said, suggesting that, before the Commission's announcement of Privacy Shield on Tuesday, the DPAs would have been inclined not to allow companies to transfer data using binding corporate rules or model contract clauses.

"Until we have completed the analysis of the possible consequences of the new arrangements on the legality of the other transfer tools, we consider it is still possible to use the existing transfer mechanisms," she said.

The DPAs will wait for the European Commission to supply the documents on which Privacy Shield is based, she said -- but "not for too long."

Asked whether the documents should be made public, she said: "It's up to the Commission to decide, but for transparency it's important that these commitments be as public as possible."


Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Featured

Slideshows

Kiwi channel comes together for another round of After Hours

Kiwi channel comes together for another round of After Hours

The channel came together for another round of After Hours, with a bumper crowd of distributors, vendors and partners descending on The Jefferson in Auckland. Photos by Maria Stefina.​

Kiwi channel comes together for another round of After Hours
Consegna comes to town with AWS cloud offerings launch in Auckland

Consegna comes to town with AWS cloud offerings launch in Auckland

Emerging start-up Consegna has officially launched its cloud offerings in the New Zealand market, through a kick-off event held at Seafarers Building in Auckland.​ Founded in June 2016, the Auckland-based business is backed by AWS and supported by a global team of cloud specialists, leveraging global managed services partnerships with Rackspace locally.

Consegna comes to town with AWS cloud offerings launch in Auckland
Veritas honours top performing trans-Tasman partners

Veritas honours top performing trans-Tasman partners

Veritas honoured its top performing partners across the channel in Australia and New Zealand, recognising innovation and excellence on both sides of the Tasman. Revealed under the Vivid lights in Sydney, Intalock claimed the coveted Partner of the Year 2017 (Pacific) award, with Data#3 acknowledged for 12 months of strong growth across the market. Meanwhile, Datacom took home the New Zealand honours, with Global Storage and Insentra winning service provider and consulting awards respectively. Dicker Data was recognised as the standout distributor of the year, while Hitachi Data Systems claimed the alliance partner award. Photos by Bob Seary.

Veritas honours top performing trans-Tasman partners
Show Comments