News

European data protection authorities proceed with caution – temporary guidance for data transfers to the USA

03.02.2016

After the political agreement between the EU Commission and the USA on a new data protection agreement, the “EU-US Privacy Shield”, affected companies can temporarily breath easily – but no more, since the Article-29 Group, the European data protection authorities committee, will review the agreement in the coming weeks. Nevertheless, a considerable degree of skepticism is evident between the lines. And rightly so, since in its present form the agreement hardly conforms to the high requirements set by the ECJ on the transfer of data to the USA. The American side must still provide concrete legislative steps in order to exclude mass monitoring of European data. Otherwise, US companies will continue to be obliged to increase their server capacities in Europe.

The position today is that, in principle, the Art. 29-Group welcomes the agreement on the new conditions in the EU-US Privacy Shield. It emphasizes, however, that the terms of the agreement must secure certain essential guarantees in favour of those affected. The group therefore reserves an in-depth review of the agreement and has already expressed its concern as to whether the EU-US Privacy Shield will at all be able to secure these guarantees against the background of existing statutory conditions in the USA. Until European data protection authorities, probably in the coming four to eight weeks, have formed a conclusive picture of the agreement, the wording of which still has to be completed, they provide the following temporary guidance to affected companies:

There is no longer any explicit moratorium for data transmission to the USA based on Safe Harbor. The national data protection authorities should rather decide on a case to case basis. Prohibitions and penalties are not therefore in our opinion excluded right away. It remains to be seen whether individual data protection authorities will still adopt positions thereon.

The Art.-29 Group also examines other tested mechanisms for the creation of a reasonable level of data protection by participating US-companies, EU-standard contract clauses and binding corporate rules. Only against the background of the complete version of the EU-US Privacy Shield will the group examine to what extent EU-standard contract clauses and binding corporate rules can continue to be used for data transfers to the USA. At least until a statement of the Art.-29 Group to the contrary, legal use of these alternative mechanisms can still be assumed.

Data Privacy
Digital Business
Commerce & Trade
IT & Outsourcing

Share