Following the EU Court of Justice (CJEU) ruling in the Schrems case the Article 29 Working Party (WP29) has issued a statement setting out its views on several critical issues going forward.

The WP29 comprises all of the national Data Protection Authorities across the EU. Although the WP29’s statement it not decisive, it is influential and welcome in light of conflicting signals that had been coming from different data protection authorities. The statement addresses the steps that must be taken by the EU Institutions to resolve the concerns identified in the CJEU’s judgment, and clarifies the WP29’s position on the measures that should be implemented by Safe Harbor-certified companies in the interim.

The statement emphasizes that transfers relying on Safe Harbor are now unlawful.  The WP29 considers that, on an interim basis, the EU Standard Contractual Clauses (or Model Clauses) and Binding Corporate Rules (BRCs) can still be relied upon to legitimize transfers of EU personal data to the United States, pending negotiations over the future of the Safe Harbor arrangements. During that time, the WP29 will “continue its analysis of the impact of the CJEU judgment on other transfer tools” (including the Model Clauses and BCRs). Furthermore, national data protection authorities will in the meantime exercise their powers in response to complaints if necessary to protect individuals’ privacy rights.

The statement indicates that if no appropriate solution is found between the EU and the US authorities by the end of January 2016,

EU data protection authorities are committed to take all necessary and appropriate actions, which may include coordinated enforcement actions.

In the meantime, the authorities will put in place appropriate national information campaigns to ensure that all stakeholders are sufficiently informed, and this may include contacting all known companies that previously relied on Safe Harbor.

The ramifications for companies that transfer personal data from the EU to the US, whether intra-Group or to third parties, are as follows:

  • If your business is Safe Harbor-certified or if it transfers EU personal data to a US company using Safe Harbor, you will need to consider adopting alternative solutions immediately. These may include, for example, the Model Clauses or BCRs.
  • If your company transfers EU personal data to the US using the Model Clauses or BCRs, you should be aware that these mechanisms may also be found to raise many of the same concerns that caused the CJEU to invalidate the Safe Harbor program; however, for the time being, the WP29 Statement would appear to mitigate the compliance risks arising from reliance on these measures.
  • Businesses should take stock of their data protection and data transfer practices in order to ensure that their practices conform to the commitments that they undertake pursuant to the Model Clauses or BCRs, and should consider ways of addressing compliance risks if the January 2016 deadline for concluding the Safe Harbor negotiations is not met.