The EU Commission has published its initial guidance on the decision of the Court of Justice of the European Union’s to declare the Safe Harbor arrangements invalid.

We have written about the Court’s decision, and on the initial guidance of the group of EU data protection regulators (the Article 29 Working Party).

The Commission made the following points:

  • The Commission has stepped up its discussions with the US authorities about a new data transfer framework treaty to replace Safe Harbor. Their objective is to conclude these discussions within the next 3 months.
  • In the meantime, alternative data transfer methods (for example using the Commission’s Standard Contractual Clauses, or approved Binding Corporate Rules) are acceptable methods of legitimising cross Atlantic data transfers. However, the Article 29 Working Party is continuing its review into these alternative transfer methods.
  • It remains the responsibility of data controllers to ensure sufficient safeguards are put in place even where, for example, Standard Contractual Clauses are used. Data controllers must make an assessment of all the circumstances around the transfer (e.g. is the data being appropriately secured in the third country from a technical and organisational perspective?). Compliance will be assessed on a case-by-case basis.
  • If data controllers rely on the consent of individuals to legitimise data transfers to the US, the risks associated with the transfer must be clearly explained to the individuals when consent is sought. However, the Commission does not see consent as providing a long term solution to large scale structural data transfers.

The Commission’s position is unsurprising and re-affirms many of the points made earlier by the Article 29 Working Party.

The Commission’s key challenge now lies in trying to obtain real concessions from the US authorities with the aim of moving the US closer to providing equivalent protection for personal data to that provided in the EU.