On October 16, 2015, the Article 29 Working Party (the “WP29”) issued a statement on the consequences of the recent ruling of the Court of Justice of the European Union (the “CJEU”) invalidating the European Commission’s Safe Harbor Decision.
In its statement, the WP29 called upon the EU Member States and EU institutions to open discussions with U.S. authorities in order to find political, legal and technical solutions enabling transfers to the U.S. that respect EU citizens’ fundamental rights. According to the WP29, an intergovernmental agreement providing stronger guarantees to EU data subjects and a new Safe Harbor could offer such solutions.
Importantly, the WP29 indicated that it will continue analyzing the impact of the CJEU ruling on other data transfer mechanisms, such as standard contractual clauses and Binding Corporate Rules. The WP29 confirmed that, during this period, businesses can still rely on these data transfer mechanisms to transfer personal data to the U.S. According to the statement, however, this does not exclude the possibility for national data protection authorities (“DPAs”) to investigate particular data transfers (e.g., following a complaint) and exercise their powers to protect individuals.
Furthermore, if no solution is found with the U.S. authorities by the end of January 2016, the DPAs may, depending on the outcome of the WP29’s assessment of the other data transfer mechanisms, decide to take coordinated enforcement actions.
In any event, the WP29 states that businesses can no longer rely on the EU-U.S. Safe Harbor to transfer personal data from the EU to the U.S. To that end, the WP29 advises businesses to reflect on the eventual risks they take when transferring data and to consider putting in place any legal and technical solutions to mitigate these risks and to respect EU law. Meanwhile, national DPAs are expected to provide more information to businesses at a national level.