Last Friday (6 November 2015) the EU Commission issued a communication on the transfer of personal data from the EU to the US under the Data Protection Directive following the judgment by the Court of Justice in the Schrems case.
In addition to providing some welcome support for the use of data transfer mechanisms such as Model Clauses and BCRs, the communication also contains an important statement from the Commission that it intends to update the decisions it has previously made authorising personal data transfers to certain countries outside of the EU.
The EU Commission has previously issued decisions confirming that certain countries outside of the EU offer an adequate level of protection to personal data and therefore transfers to those countries are not restricted. The countries that benefit from those decisions are: Andorra, Argentina, Canada, Faroe Islands, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay. The Commission has recognised that the country adequacy decisions contain restrictions on EU Data Protection Authorities’ powers to identify and sanction infringements of European data protection rules. These same restrictions were part of the reason that the EU – US Safe Harbor scheme was found to be invalid.
The EU Commission will now update the decisions to remove the restrictions and in turn provide certainty about the ongoing validity of transfers to those countries.
In addition to taking a position on its adequacy decisions, the Commission also confirmed that in its view, the Model Clauses remain valid alternatives for justifying data transfers. It stressed that in principle, EU Data Protection Authorities would be bound by the Model Clauses and could not refuse data transfers to a country outside of the EU on the sole basis that the Model Clauses do not offer sufficient safeguards. The Commission acknowledged that this does not prejudice Data Protection Authorities from investigating, and if needed, suspending data transfers. However, in case of doubts, the Data Protection Authorities should bring these cases before a national court which in turn may make a request for a ruling to the Court of Justice. In sum, Data Protection Authorities should be careful with general statements about the validity of Model Clauses and, if in doubt, seek the view of the European Court of Justice.
You can read the full Commission communication here.