The Court of Justice of the European Union (the “CJEU”), Europe’s highest court, declared last month that the U.S.-EU Safe Harbor Scheme is invalid. The CJEU also declared that national supervisory authorities are free to challenge findings of the European Commission (the “Commission”) that a third country ensures an adequate level of protection for personal data transferred to that country. On 16 October 2015, the Article 29 Working Party issued a statement in which it confirms that “transfers that are still taking place under the Safe Harbor decision after the CJEU judgment are unlawful” and urges businesses to “reflect on the eventual risks they take when transferring data and [to] consider putting place any legal and technical solutions in a timely manner to mitigate those risks.”
The Article 29 Working Party has advised that whilst it continues to analyse the impact of the CJEU judgment on the alternative mechanisms for the transfer of personal data outside the EEA, the data protection authorities consider that Standard Contractual Clauses and Binding Corporate Rules can still be used. Ten days later, however, the German federal and state supervisory authorities released a position paper stating that they will no longer approve transfers to the U.S. on the basis of Binding Corporate Rules.
On 6 November 2015, the Commission published a Communication in which it discusses the use of alternative bases for transfers of personal data to the U.S. after the CJEU’s decision. The Commission echoes the Article 29 Working Party’s position that the Standard Contractual Clauses and Binding Corporate Rules (as authorised by the relevant data protection authorities (“DPAs”)) can still be relied on for the transfer of personal data outside the European Economic Area (the “EEA”). The Commission states that data exporters and importers can also rely on other contractual arrangements as approved by the relative DPAs on a case by case basis, and on the derogations listed in Article 26(1) of Directive 95/46/EC (the “Directive”), which include transfers that are necessary for the performance of a contract between the data subject and the data controller, transfers in respect of which the data subject has given their unambiguous consent, and transfers that are necessary or legally required on important public interest ground of to establish, exercise, or defend legal claims.
In the Communication the Commission draws a distinction between reliance upon these alternative bases, as compared with reliance on a finding by the Commission that a third country (i.e. a country outside the EEA) ensures an adequate level of data protection: Where the Commission has made a finding of adequacy in respect of a third country, it can be assumed that the data importer in that third country to which personal data is transferred is under an obligation to comply with an adequate system of data protection legislation, and so the safety of the transferred personal data will be adequately protected. On the other hand, when the personal data is transferred to a third country on the bases of the alternative transfer methods, the data exporters and importers are themselves responsible for ensuring that the transfers comply with the requirements of the Directive. As such, the Commission draws attention to the central role of the DPAs, who “as the main enforcers of the fundamental rights of data subjects . . . are both responsible for and empowered to supervise data transfers from the EU to third countries, in full independence.”
During this period of uncertainty it is imperative that businesses currently relying on Safe Harbor for the transfer of personal data to the U.S. take immediate steps to put in place alternative mechanisms to ensure that the transfers are legal.