A stricter regime for profiling07 June 2016
International Data Transfers – The Uncertainty Continues
The statement starts on a positive note by saying that the Working Party welcomes the conclusion of the negotiations between the EU and the US on the introduction of a new Privacy Shield—although it acknowledges that it has not seen its content.
The Working Party then goes on to say that over the past weeks, it has analysed the robustness of the other existing transfer tools by reference to the criteria of the laid out by the Court of Justice of the European Union (CJEU), namely:
- Transparency – Processing should be based on clear, precise and accessible rules.
- Necessity and proportionality – A balance needs to be found between the need for government access to data and the rights of the individual.
- Independent oversight – A judge or another independent body should be able to carry out the necessary checks.
- Effective remedies – Individuals should have the right to defend their privacy rights before an independent body.
Taking all of this into account, the position of the Article 29 Working Party in relation to its assessment of the validity of standard contractual clauses and BCR to legitimise data transfers out of the EU is essentially as follows:
- The current US legal framework dealing with access to data by government, law enforcement and intelligence agencies does not meet the data privacy standards set by the CJEU.
- However, the Working Party is prepared to assess whether the recently agreed EU-US Privacy Shield changes this. In particular, the Working Party will be assessing whether the assurances given by the US government that the access of public authorities for law enforcement and national security will be subject to clear limitations, safeguards and oversight mechanisms, are sufficiently robust to alleviate the current concerns.
- The Working Party will carry out this assessment once the details of the Privacy Shield agreement are made available by the European Commission (requested by the end of February), so the outcome of the assessment is expected at some point in April.
- The implication is that if the US government's assurances are strong enough to meet the CJEU's standards, standard contractual clauses and BCR will be regarded as valid mechanisms to legitimise international data transfers.
- But if on the other hand, the US government's assurances do not meet the CJEU's standards, then standard contractual clauses and BCR will not be sufficient to legitimise data transfers to the US.
In summary, today's statement extends the uncertainty under which we have lived since October for another two months. In the meantime, from an enforcement perspective, the Working Party has also confirmed that EU data protection authorities will deal with related cases and complaints on a case-by-case basis.
The Regulation aims to strengthen the rights of individuals. It does so by retaining rights that already exist under the Data Protection Directive and introducing the new rights of data...06 June 2016
Grounds for processing03 June 2016