The Article 29 Working Party (WP29), the group that is responsible for dealing with the fallout from the European Court of Justice invalidation of the Safe Harbor Agreement, met for the first time since the decision to start sorting things out. For companies moving data between the U.S. and the E.U., there were some good things said and some not so good things.
Here is the news:
- The Working Party thinks that it is essential that they have a robust, collective and common position. For companies, this is good news. Like dealing with 50 state privacy laws here, dealing with 17 separate legal positions in Europe would be a killer.
- The Working Party reiterated the court’s position on massive, indiscriminate data collection in the U.S. and said that this was incompatible with E.U. privacy laws. They (continue to) ignore the massive and indiscriminate data collection done by European spy agencies.
- The Working Party said that transfers of data to countries where the state authorities have too much power to access data will not be considered a safe destination for transfers. That is a direct shot on the U.S. and NSA.
- The Working Party asked the member states to urgently try and work out some sort of agreement with the U.S. using political, legal and technical solutions. Given that it took everyone two years to come to the agreement on the proposed new agreement that just got blown out of the water, I am not confident in everyone’s ability to create a whole new agreement quickly.
- The Working Party will continue to look at other laws and agreements that may have been impacted by the court’s decision.
- In the meantime, standard contract clauses and binding corporate rules can still be used but state data protection authorities can look at individual cases to stop transfers.
- Any transfers taking place after the court’s decision based on the Safe Harbor agreement are unlawful. That is, of course, a true statement, but it does not provide much wiggle room for U.S. companies to negotiate with.
- And, finally, the Working Party set a deadline of January 31, 2016 for the E.U. and U.S. to come to some agreement. That, in my opinion, is very aggressive and is a timetable that is not likely to be met. They said if an agreement is not in place by that time, the data protection authorities are committed to taking all necessary and appropriate actions which may include shutting down data transfers.
Of course, the could change their mind tomorrow. Or in January. There is nothing carved in stone.
There is one thing that seems important and that is for the U.S. to pass a law allowing E.U. citizens to sue in U.S. court over privacy violations. That requirement from the E.U. seems non-negotiable. That right does not exist today. A bill is going to be introduced, but who knows where it will go after that.
What is clear that U.S. companies that transfer data from the E.U. have a lot of uncertainty and, apparently, a short time frame for two governments to come to some agreement.
I think we live in interesting times.
The WP29 press release can be found here.