The CJEU judgment that the Safe Harbour framework is invalid has several immediate practical consequences for businesses in Latvia.
First, from now on the transfer of personal data to the US and also transfer-related data-processing registration with the Latvian Data State Inspectorate (the Inspectorate) from the legal point of view will be more difficult.
Before the Schrems judgment, for the Inspectorate to confirm that a data transfer was legal, it was enough to indicate in the data-processing registration application that the transfer would be to a US company that had Safe Harbor certification.
Now it is necessary to use other mechanisms for the transfer of personal data. All data transfers to the US are regarded as data transfers to a country that does not ensure the level of data protection is equivalent to that in Latvia. The options are listed in Section 28 of the Latvian Personal Data Protection Law and, among others, include:
- A data transfer agreement must be concluded based on the EU Model Clauses or based on the standard conditions approved by the Latvian Government.
- The data subject gives consent.
- The data controller must be bound by the Binding Corporate Rules.
Second, for those companies that until the Schrems judgment have transferred data to the US under the Safe Harbour regime and urgently need to continue such data transfers legally, there is a great deal of uncertainty regarding what they should do now
The Inspectorate is expected to announce an action plan in this respect as well as explain other practical consequences arising from the judgment. So far the Inspectorate has not officially commented on the consequences of the Schrems judgment; however, it is highly unlikely that data controllers who relied on the legality of the Safe Harbour regime for data transfers to the US until 6 October 2015 will face any negative consequences from the Inspectorate. Likewise, it seems unlikely that the Inspectorate will impose any severe sanctions on the data controllers who need reasonable time to implement new legal tools for the lawful transfer of data to replace those that have been invalidated by the CJEU.
Instead of registering personal data protection activities relating to data transfers with the Inspectorate, data controllers have always been able to appoint and register a data protection specialist with the Inspectorate. However, this does not solve the problem of the non-existence of the relevant legal basis for the international data transfers.