The fallout from the EU Court of Justice (EJC) Schrems decision invalidating the Safe Harbor continues.
As posted earlier this month, the national Data Protection Authorities (DPAs) from across the EU met under the auspices of the Article 29 Working Party (Working Party) to discuss the consequences to be drawn from the ECJ’s ruling. On October 16th, the Working Party issued a short statement, the highlights of which are as follows:
- It is essential that there be a “collective and common position on the implementation of the judgment.”
- The “massive and indiscriminate surveillance” cited by the Court is “incompatible with the EU legal framework” and “existing transfer tools are not the solution to this issue.”
- The Working Party is “urgently calling on the Member States and European institutions to open discussion with the U.S. authorities in order to find political, legal and technical solutions” that would enable data transfers to the U.S. that respect fundamental privacy rights. The release noted that the “current negotiations around a new Safe Harbor could be part of the solution.”
- The Working Party will continue its analysis of the decision and its impact on other transfer tools.
So what should you do in the meantime? According to the Working Party, it is clear that transfers still taking place under the Safe Harbor decision after the CJEU judgment “are unlawful.” But there is some relief: we can continue to rely on the Standard Contractual Clauses and Binding Corporate Rules while the Working Party continues its analysis on other transfer tools. Nonetheless, the Working Party was quick to point out that their use would “not prevent DPAs [from investigating] particular cases, for instance on the basis of complaints, and to exercise their powers in order to protect individuals.” It also provided a timeline, indicating that if no solution has been found with the US authorities by the end of January 2016, and “depending on the assessment of the transfer tools by the Working Party, EU data protection authorities are committed to take all necessary and appropriate actions, which may include coordinated enforcement actions.” Despite the risks that remain, the mood is optimistic, with the Supervisor of the Working Party noting that there is no reason to believe that now, after 15 years of the use of Safe Harbor, that the DPAs will rush to sanctions against companies that are working to find solutions.
Either way, the statement by the Working Party is a welcome sigh of relief; it has upheld the use of Standard Contractual Clauses and Binding Corporate Rules despite the recent position paper by the DPA in the German state of Schleswig Holstein. There, the Schleswig Holstein DPA warned that data transfers made on the basis of model contract clauses are no longer permitted. For now, with the Working Party having spoken, we know the Schleswig Holstein decision is not the standard amongst European DPAs, but rather is limited to only a single German federal state.
The Working Party concluded that its plan is to put in place what it calls “information campaigns” at the national level, including direct to companies that previously relied on Safe Harbor. For now, the advice to businesses is to take note of the risks they are taking when transferring data, and consider putting in place legal and technical solutions – as soon as possible – that will mitigate those risks and respect the EU data protection acquis.
For assistance in understanding how these decisions may affect your company, auditing privacy and data security compliance programs, reviewing model agreements, or preparing Binding Corporate Rules, please contact the author or a Polsinelli Privacy and Data Security team member.