The Article 29 Working Party (“WP29”) – the collective body all of EU data protection regulators (“DPAs”) – has published a statement in reaction to the recent Schrems judgment. With Schremstriggering the end of the EU-US Safe Harbor arrangement, WP29 has called on DPAs to inform stakeholders and assist companies with on-going compliance.
The WP29 has confirmed that both the European Commission Standard Contractual Clauses and Binding Corporate Rules remain valid methods to transfer data to the US. However, DPAs may commence concerted investigation and enforcement in early 2016. We take a look at 4 points to note from this statement.
1. Implementing the judgment
WP29 has reiterated the need for EU data protection authorities’ to have a “robust, collective and common position” to successfully implement theSchrems judgment. The statement adopts the position that the core element to the Schremsdecision was the issue of massive and indiscriminate surveillance – something WP29 has previously stated is incompatible with EU law.
In light of the Schrems decision, the WP29 has called on Member States and EU institutions to enter discussions with the US, with the aim of finding political, technical and legal solutions to enable data transfers, while respecting fundamental rights. Current draft US legislation may play a part here, and Safe Harbor 2, if agreed, could also be part of the solution. However, WP29 stresses the need for “clear and binding mechanisms”, as well as “obligations on the necessary oversight of access by public authorities, on transparency, on proportionality, on redress mechanisms and on data protection rights”.
2. Alternative transfer tools
In response to questions and concerns arising since Schrems, WP29 has confirmed that the European Commission Standard Contractual Clauses and Binding Corporate Rules can still be used to validate data transfers outside the EEA. However, this will not preclude regulators from conducting investigations and enforcement action in specific cases, such as arising where complaints are filed. WP29 has signalled that it intends to undertake a review of transfer mechanisms following the court’s judgment.
In light of Schrems, transfers of personal data to the US can no longer be based on Safe Harbor. According to WP29, coordinated enforcement action arising out of such transfers may begin by end of January 2016. How such enforcement will play out depends largely on whether a sustainable solution with the US is found and also relies on the result of WP29’s review of available transfer mechanisms.
Given the degree of uncertainty affecting many companies following Schrems, particularly those previously reliant on Safe Harbor, EU data protection regulators will make a concerted effort to advise and inform stakeholders. In particular, they will work to assist companies in avoiding potential future liability. These campaigns will include direct contact with companies who currently rely on the Safe Harbor scheme. DPAs will also supply online notices via their respective websites.
WP29 advises that companies need to be aware of the “eventual risks” they take when transferring data outside the EEA and notes that companies should consider putting in place any legal and technical solutions in a timely manner to mitigate those risks and respect fundamental rights.
This statement has brought some additional clarity to the uncertainty many companies faced in the wake of the Schrems decision. Given the views of the WP29, companies should ensure that their data exports to the US (and other jurisdictions outside the EEA) are based on valid mechanisms. Given WP29’s stated aim of beginning investigation and enforcement actions in early 2016, companies that were previously Safe Harbor registered should now review how they export personal data to the US.