EU Data Protection Authorities Issue Statement Following Agreement
on EU-U.S. Privacy Shield

February 3, 2016

On February 3, 2016, the body of European data protection regulators—called the "Article 29 Working Party" (WP29)—issued a statement following the announcement of a political agreement regarding a new transatlantic data transfer scheme, the EU-U.S. Privacy Shield.1 This is the second guidance document2 issued by the WP29 following the invalidation of the EU-U.S. Safe Harbor Framework Agreement (Safe Harbor) by the Court of Justice of the European Union (CJEU) on October 6, 2015, in Maximillian Schrems v. Data Protection Commissioner.3

Guidance from the WP29 is a good indication of how EU data protection authorities are likely to interpret the law, but it is not legally binding on national data protection authorities or national courts.

In sum, the WP29 said that it welcomes the announcement of the Privacy Shield, but it will now review it carefully in light of Schrems. In parallel, the WP29 is reviewing EU Standard Contractual Clauses (SCC) and Binding Corporate Rules (BCRs), the other legal bases for transferring data to the U.S. The WP29 confirmed that data transfers under Safe Harbor are unlawful, but that SCC and BCRs remain valid for now. The WP29 is expected to issue its opinion regarding the validity of the Privacy Shield, SCC, and BCRs by the end of March 2016 at the earliest. This creates significant legal uncertainty for business.

Additional details regarding the WP29 statement are set forth below:

  1. The WP29 reiterates that the Safe Harbor is not a valid data transfer mechanism. Data transfers under the Safe Harbor lack a legal basis and are unlawful under EU law.
  2. In Schrems, the CJEU considered the access of U.S. intelligence services to EU citizens' personal data as a key factor in invalidating the Safe Harbor. According to the WP29, Schrems requires four essential guarantees for intelligence data processing activities to comply with EU data protection law:
    1. Transparency: The processing should be based on clear, precise, and accessible rules
    2. Proportionality: The processing needs to be proportionate and necessary in light of the objectives pursued
    3. An independent oversight mechanism should exist that is both effective and impartial
    4. Effective remedies need to be available to the individual
  3. The WP29 welcomes the political agreement on the Privacy Shield, but states that it will need to see the actual terms of the agreement to review them in light of Schrems and the four guarantees described above.
  4. The WP29 requests that the EU Commission provide the terms and commitments of the Privacy Shield before the end of February 2016.
  5. The WP29 confirmed that it is reviewing the validity of other data transfer mechanisms in light of Schrems. In particular, the WP29 plans to assess to what extent the terms and commitments of the Privacy Shield can be extended to other transfer mechanisms, in particular SCC and BCRs.
  6. The WP29 indicates that national data protection authorities will handle complaints related to alleged unlawful data transfers to the U.S. on a case-by-case basis.

We will continue to monitor and update you on any new developments in this area.

Wilson Sonsini Goodrich & Rosati routinely helps clients manage risks related to the enforcement of privacy and data protection laws globally, along with advising clients on EU privacy and data security issues. For more information, please contact Cédric Burton, Christopher Kuner, Lydia Parnes, Michael Rubin, Chris Olsen, or another member of the firm's privacy and data protection practice.

Sarah Cadiot, Sára G. Hoffman, and Laura De Boel contributed to the preparation of this WSGR Alert.

2 See our WSGR Alert on the first statement of the Working Party 29 from October 16, 2015:
3 See the CJEU Judgment, delivered on October 6, 2015, in Case C-362/14 Maximillian Schrems v. Data Protection Commissioner (request for a preliminary ruling from the High Court (Ireland)), available at: