Isabelle Falque-Pierrotin, chairwoman of the Article 29 Working Party, at a press conference in Brussels on Feb. 3, 2016. Credit: Peter Sayer
Businesses that need to transfer European Union citizens' personal data to the U.S. should wait until at least mid-April before relying on the Privacy Shield to provide legal protection -- and in the meantime, they shouldn't count too much on alternative mechanisms for legalizing such transfers, Europe's data protection authorities warned Wednesday.
April is when the DPAs hope to have concluded their legal analysis of the replacement for Safe Harbor that was unveiled on Tuesday. But that time frame is contingent on the European Commission providing them with the necessary documents within the three weeks it has promised, according to the head of the Article 29 Working Party, the EU body representing national data protection authorities (DPAs). That analysis will also consider alternative transfer mechanisms such as binding corporate rules and model contract clauses.
Privacy Shield is intended to fix problems the Court of Justice of the European Union identified in the Safe Harbor framework, when it ruled its privacy protections inadequate last October. Privacy Shield, like Safe Harbor before it, is supposed to provide EU citizens with a guarantee that their personal information will benefit from the same privacy protections if processed in the U.S. as it would have at home.
But so much about Privacy Shield remains undefined, and so few of the documents underpinning what is defined have been made public, that DPAs are unable to draw conclusions about its legality, said Isabelle Falque-Pierrotin, chair of the working party and also president of the French National Commission on Computing and Liberty (CNIL).
"I can't tell you what will be our final conclusion on the new arrangement. We don't have any documents," she said at a news conference in Brussels Wednesday afternoon.
One thing is still clear: Safe Harbor is finished, and companies still relying on it to justify transatlantic data transfers are clearly operating illegally, she said.
So what are companies to do in the meantime?
Back in October, the European Commission said the demise of the Safe Harbor agreement wasn't a big deal as companies could simply adopt one of the alternative mechanisms provided for in the 1995 Data Protection Directive to make their transatlantic data transfers legal.
The working party, however, expressed concern that these mechanisms might suffer from the same shortcomings the court found in the Safe Harbor framework, particularly the lack of protection from mass surveillance by intelligence services, and promised to conduct an in-depth analysis of the October ruling's effects on them.
Sign up for CIO Asia eNewsletters.