Privacy Shield: reports suggest data transfers framework may not be endorsed by EU data protection watchdogs

The Privacy Shield is a framework that has been proposed to facilitate the transfer of personal data between the EU and US. EU and US officials hope the Privacy Shield can replace the safe harbor agreement which was invalidated by the EU's highest court in October last year.

Earlier this year the European Commission published a draft 'adequacy decision' which outlined its view that data transfers to the US made under the EU-US Privacy Shield will correspond to EU data protection law requirements. The privacy principles that businesses will have to comply with if they sign up to the Privacy Shield were also detailed in the documents published by the Commission at the time.

The Article 29 Working Party, a committee made up of representatives from data protection authorities from across the EU, is due to give its opinion on the Privacy Shield later this week. Its endorsement of the framework is pivotal if the Commission is to formally designate the Privacy Shield as providing for adequate data protection under EU law.

However, leaked papers, highlighted by privacy expert Dr. Carlo Piltz, suggest that data protection authorities in Germany want the Working Party to step back from endorsing the Commission's opinion on the Privacy Shield.

The German watchdogs have asked the Working Party to state that it is "not yet in a position to confirm that the current draft adequacy decision does, indeed, ensure a level of protection [in the US] that is essentially equivalent to that in the EU", the leaked document states.

Data protection law expert Kathryn Wynn of Pinsent Masons, the law firm behind Out-Law.com, said that if the Working Party adopts that view it could have major implications for businesses.

"The Working Party's opinion on the level of protection afforded by the EU-US Privacy Shield will be of major importance to organisations with trans-Atlantic trade business operations that have been left dealing with an uncertain legal environment since the safe harbor regime was invalidated," Wynn said. "It is expected that the Working Party will also offer views on the validity of the use of model contract clauses, binding corporate rules (BCRs) and other mechanisms for underpinning the transfer of personal data from the EU to the US."

"If the Working Party does not endorse the Privacy Shield and simultaneously states that organisations can no longer rely on some other the commonly used mechanisms for facilitating EU-US data transfers then it could have a significant impact on businesses. For example companies could be forced to store personal data in the EU and place major restrictions on its access by US employees or US businesses they transact with, such as through strictly controlled remote access portals. This would be expensive and restrictive in a way which could burden businesses," she said.

"The reality is that international transfers of data are vital to economic growth and there needs to be a pragmatic solution adopted by the courts, policy makers and data protection authorities to recognise this. In the UK it would remain open to businesses to self-assess the adequacy of the data protection measures in place to underpin data transfers to the US, but this will only be an applicable tool for compliance until the General Data Protection Regulation comes into force," Wynn said.