What does this cover?
The Article 29 Working Party (WP29), the UK ICO Deputy Commissioner David Smith and the EC Commissioner Věra Jourová have each made statements in relation to the current Safe Harbor opinion. Similar issues were addressed in each of the statements, with the continued focus being upon a coordinated approach to be taken across the EU in finding a solution to the current Safe Harbor problem.
The WP29 press release of 16 October emphasised the necessity for DPAs across the EU to maintain a "robust, collective and common position" when implementing the CJEU's decision. The WP29 urged member states and EU institutions to commence discussions with the US to establish a data transfer solution that can be deemed to observe fundamental rights. We have identified below, some of the specific comments made in the statement:
- Transfers that continue to take place on the basis of the Safe Harbor regime are "unlawful";
- WP29 will continue to analyse the impact of the Safe Harbor decision in relation to alternative transfer methods;
- WP29 will be monitor the progress of matters before the Irish High Court;
- In the meantime, DPAs should consider the use of Model Clauses and BCRs as valid transfer methods;
- DPAs are entitled to investigate individual transfers and may act as necessary in order to ensure the protection of personal data;
- DPAs should ensure information is available at a national level so that "all stakeholders are sufficiently informed";
- A 'grace period' shall run until January 2016, at which point, if no solution has been established with the US, EU DPAs should ensure they take all necessary enforcement actions in relation to US data transfers;
- Reference was made to the possibility of coordinated enforcement actions between DPAs across the EU.
On 26 October Věra Jourová, the EU Commissioner for Justice (the Commissioner), Consumers and Gender Equality, gave the Civil Liberties Committee of the EU Parliament (LIBE) an update on the latest Safe Harbor developments.
The Commissioner summarised the developments so far, including the WP29 statement and intention to find a solution by the end of January, calling for "maximum clarity" whilst we await said solution. The EU Commission will shortly be issuing an "explanatory Communication on the consequences of the Schrems ruling setting out guidance on internal data transfers", which will work alongside national DPAs ensuring data protection laws are upheld across the EU in the meantime.
The Commissioner emphasised the need for "more clarifications" from the US, asserting that the EU had not been "dragging" its feet when it came to finding a solution. In addition, the Commissioner stated there was agreement "in principle" on matters in discussion, but that details regarding how such commitments can become binding were still in progress. Attention was also drawn to the US in respect of more "targeted and tailored surveillance" and the EU assessment of these safeguards, as well as the Judicial Redress Bill.
On 27 October, David Smith, Deputy Commissioner and Director of Data Protection at the ICO published a blog article entitled 'The US Safe Harbor position – breached but not destroyed' in which he presents an update on the ICO's position regarding Safe Harbor.
The ICO took part in the WP29 meeting of on 15 October, from which the statement was produced. The Deputy Commissioner commented that the meeting was "a constructive one" and that the statement "recognises the importance of the data protection authorities working together."
The Deputy Commissioner also made the following observations:
- Legal uncertainty caused by the principle that EU DPAs are entitled to consider complaints from individuals who claim that data has not been adequately protected, even where there is an existing Commission decision on the issue;
- The potential impact on adequacy findings and Model Clauses;
- Model Clauses and adequacy decisions will continue to be analysed by the WP29 and others;
The Deputy Commissioner reiterated previous advice to keep calm. Adequacy decisions in relation to specific countries and Model Clauses can still be relied on by businesses. Having attended an industry round table meeting held by Baroness Neville-Rolfe, the Minister responsible for data protection, the Deputy Commissioner had the following advice to give to businesses in the UK:
- Don't panic: this reiterates the ICO's original advice not to put in place other mechanisms that may in turn be problematic;
- Take stock: consider data flows and the arrangements already in place and consider which steps might be more suitable in light of guidance available so far;
- Make your own mind up: the UK allows companies to rely on their own adequacy assessments, and although these do not offer the same level of legal protection, it will depend on the nature of data being transferred and who it is being transferred to.
The ICO will not be hurrying to employ their enforcement powers, other than investigating complaints in accordance with "published enforcement criteria". The Deputy Commissioner emphasised the UK's commitment to ensuring a unified approach across the EU in order to deliver "a single and sensible message".
The ICO will continue to update their advice and be providing practical guidance to businesses during this uncertain time and believe that the next few months will be "critical" and hope that a Safe Harbor 2.0 "will emerge and provide a strong and effective framework" for future EU-US data transfers. Interestingly, the Deputy Commissioner commented that those entities likely to "wield more influence" during discussions in coming months are "the business community and particularly multi-nationals", more so than either the ICO or the WP29.
To view the Deputy Commissioner's blog article, please click here.
To view the full statement of the Article 29 Working Party, please click here.
To view the transcript of the EU Commissioner's speech, please click here.
What action could be taken to manage risks that may arise from this development?
As per our original response to the Safe Harbor decision, we recommend an analysis of data flows within companies, and where necessary, the implementation of alternative methods for the transfers of personal data between the EU and US, whilst we await further statements and developments at both an EU and national DPA level.