miércoles, 16 de diciembre de 2015

#Privacy in EU : the growing legal uncertainty

Some weeks have passed since the ECJ published its decision on the case Max Schrems vs Irish Data Commissioner. Although it is still soon to feel the full impact of the decision on the EU and US economies, we begin to see some of the dark consequences.   

The invalidation of the Safe Harbor agreement has open the floodgates of legal uncertainty of the data flows between EU and US. The uncertainty is extended beyond the data transfers done under the Safe Harbor agreement, other mechanisms as the model contract clauses or the binding corporate rules are also stained by the doubt. It is not an overstatement to affirm that we are living in a period of quarantine over US-EU data flows.

After the publication by the Article 29 Working Party of its guidances for the interpretation of the ECJ ruling, everybody expects a period of grace until January 31th of 2016. Nevertheless, the German Data Protection Watchdogs announced that they would not allow any data transfers to the US on the basis of binding corporate rules or data transfer contracts. Or what is the same, only the explicit consent remains as a valid mechanism for the authorisation of data transfers. However, in spite of all the anger from the industry the decision of the German Data Protection Watchdogs looks quite difficult to enforce.

But the ECJ decision has actually opened the doors for a further balkanization of the EU digital market. The ECJ has ruled that the all the national privacy watchdogs has the obligation to investigate a possible unlawful behaviour regarding the data protection rules. This decision has established an scenario where more than one Data Protection Regulator could investigate the same case. The first and expected consequence has been the investigation of the Facebook case by the Austrian Data Protection Regulator, at the same tome the case is under investigation in Ireland. The chances of contradictory decisions in such a scenario are bigger than previously to the ECJ ruling.

On its side, the European Commission (EC) has published its own guidances for the interpretation of the ECJ ruling. The EC insists in the validity of the other forms of permissions for data transfer to the US (BCR, Contractual Templates and Derogations). However, the EC underlines that this is the situation "currently" and it is far from offer complete legal certainty.  Furthermore, although the EC express its will to conclude the agreement before the end of January 2016, it looks that the US have few intentions to make new concessions and changes on its surveillance methods of digital servicesIt seems that a huge divide on what guarantees are needed to be included in the future agreement still exists between US and the UE.

In spite of the guidances given by the EC, it looks the companies prefer more legally certain options. Both Amazon and Microsoft have preferred to establish more data centers in Europe in order to avoid data transfers to the US.

So all the worst expectations after the ECJ ruling are taking shape. A possible invalidation of all the data transfers between US and EU, different privacy regulators investigating the same case and rules difficult (if not impossible) to be enforced. We need sooner than later to clarify the privacy scenario in the EU and its connection with the rest of the world. Not finding a new agreement is not a solution. Neither it is time of a blaming game about which side has been responsible of no enforcing Safe Harbour.

No hay comentarios:

Publicar un comentario

palyginti kainas