We reported in our recent update, that in the Schrems v. Data Protection Commissioner of Ireland decision the Court of Justice to the European Union (“CJEU”) declared Safe Harbor invalid under EU law. We subsequently discussed possible alternatives to Safe Harbor in our related webinar. The Article 29 Data Protection Working Party (“the Working Party”) has now held a meeting and issued a statement outlining their views as to the consequences of the CJEU decision that invalidated Safe Harbor.
The statement identifies the “massive and indiscriminate surveillance” of authorities as a key question of the CJEU decision. The Working Party emphasizes that personal data transfers from the EU to the US relying on the old Safe Harbor are now “unlawful”. The statement urges the EU Member States and Institutions together with the US authorities to find solutions to legitimize future transfers of personal data from the EU to the US.
What is the Working Party?
The Working Party was set up under the European data protection Directive (95/46/EC). It is a advisory board, consisting of EU data protection authorities (one from each member state), and has advisory status and acts independently. Its opinions are normally followed by the regulators individually and so is immensely influential.
What is Safe Harbor and Schrems v. Data Protection Commissioner of Ireland?
Under the EU data protection laws personal data may not be transferred outside the Europe Union unless the data recipient assures an ‘adequate level of protection.’ For fifteen years Safe Harbor was one of a number of mechanisms available to European companies to ensure this ‘adequate level of protection’ when transferring data to the US.
In Schrems v. Data Protection Commissioner of Ireland the CJEU found that the Safe Harbor Agreement does not provide enough guarantees that data on EU citizens will remain safe when transferred to the US. The CJEU decision cannot be appealed and went into effect upon issuance on October 6, 2015.
The Working Party’s Opinion
In its opinion1, the Working Party identifies the consequences of the invalid Safe Harbor mechanism.
The Working Party emphasizes that the “question of massive and indiscriminate surveillance is a key element of the Court’s analysis” and the existing transfer tools cannot solve this issue. The Working Party points out that the transfer to third countries where state authorities have broad access to the information imply a broad analysis of laws and commitments.
The Working Party calls for open discussions between the EU Member States, the European Institutions and US authorities “to find political, legal and technical solutions enabling data transfers to the territory of the United States that respect fundamental rights” of EU citizens and calls for action. The statement suggests that the ongoing negotiations around a new Safe Harbor could be a part of a solution.
The Working Party advises that it will continue its analysis on the impact of the CJEU judgment on a data transfer based on alternative transfer tools, i.e. Standard Contractual Clauses and Binding Corporate Rules. During this period Standard Contractual Clauses and Binding Corporate Rules can still be used. However, the statement also points out that this will “not prevent data protection authorities to investigate particular cases, for instance on the basis of complaints, and to exercise their powers in order to protect individuals.”
Crucially, if by end of January 2016, no appropriate solution is found with the US authorities and depending on the assessment of the transfer tools by the Working Party, EU data protection authorities are committed to take all necessary and appropriate actions, which may include coordinate enforcement actions.
What does this mean for US companies that are Safe Harbor members?
US Safe Harbor members are not doing anything unlawful. The Safe Harbor program continues to be administered by the US Department of Commerce.
What does that mean for the EU companies that transfer data to the US?
However, EU companies sending data to US members of Safe Harbor can no longer rely on such membership. In order to act lawfully, such EU companies should put in place alternative mechanisms by for example entering into Standard Contractual Clauses or implementing Binding Corporate Rules (BCRs).
If the US, the European institutions and the EU Member states cannot agree on an appropriate solution for a legal transfer of personal data from the EU to the US by the end of January 2016, the Working Party is threatening a greater scrutiny of the transfer of such data based on Standard Contractual Clauses and Binding Corporate Rules. The EU data protection authorities may at that stage start enforcement actions against European companies exporting personal data to the US (under any of the solutions, not only Safe Harbor).