Under these circumstances, with the Commission barely meeting the Article 29 Working Party’s end-of-January deadline, the Working Party had little choice but to allow more time to evaluate the agreement. According to a statement released on February 3, the Working Party welcomes the conclusion of the negotiations between the EU and the US and looks forward to receiving the documents it needs to evaluate its viability, requesting receipt of them by the end of February. In the meantime, the Working Party re-affirms that data transfers under Safe Harbor are unacceptable and that standard contractual clauses and BCRs may be relied upon for the time being.
Phil Lee from Fieldfisher was first out of the box with an excellent blog on issues relating to the new agreement, not the least of which is market acceptance. However, one issue not discussed anywhere, as far as I can tell, is what the obligations of US companies will be under the Privacy Shield and how they will become operative. As announced, the agreement addresses only high-level questions associated with surveillance and its aftermath, making no mention of what privacy standards and practices will be required of companies that may want to avail themselves of its protections. What has become of the thirteen recommendations for Safe Harbor reform advanced by the Commission back in 2013? In short, where is the beef on the Privacy Shield bone?