Important takeaways:

  • Use of Model Contracts and Binding Corporate Rules are viable alternatives to Safe Harbor for now
  • Potential ~90-day window to comply with new requirements regarding transfer of EU citizens’ personal information
  • Reliance on only Safe Harbor unlawful

On October 6, 2015, we reported that the European Court of Justice (ECJ) invalidated the European Commission’s decision that provided the basis for the EU/U.S. Safe Harbor Framework (Safe Harbor). The ECJ’s ruling was largely based on the reasoning that U.S. national intelligence agencies’ ability to access EU citizens’ personal information stored in the U.S. established that the Safe Harbor could not provide adequate protection for the privacy of European citizens and thus data transfers from the EU to the U.S. could not comply with EU law. The 15-year-old Safe Harbor, now in jeopardy, provided the primary means for companies to share data on European citizens with their U.S.-based operations and business partners.

Within days of the ECJ’s decision, EU data protection authorities assembled the Article 29 Working Party on the Protection of Individuals with regard to the Processing of Personal Data (Working Party) to discuss the consequences of the decision and next steps on EU regulation of data transfers to the U.S. The Working Party is an independent advisory body on data protection and privacy, composed of representatives from EU member states’ national data protection authorities as well as the European Data Protection Supervisor and representatives of the European Commission.

On Friday, the Working Party released a statement summarizing the results of those discussions. The statement had three key components:

  1. Continued Viability of Model Contracts and Binding Corporate Rules.The statement affirmed that the data protection authorities for now consider the use of “Model Contracts” and “Binding Corporate Rules” as viable alternatives to the Safe Harbor for receiving and processing EU data in the U.S. Model Contracts contain contractual provisions deemed by law to provide adequate data protection for cross-border data transfers. Binding Corporate Rules are internal rules (such as Codes of Conduct) used by some very large multinational companies to assure data protection when data is transferred among affiliates in different countries. That said, the Working Party also emphasized that “massive and indiscriminate surveillance” played a key part in the ECJ’s decision, and even though Model Contracts and Binding Corporate Rules may be used, data protection authorities may under all circumstances investigate particular cases, including those based on individual complaints. The Working Party also stated that it is continuing to review the viability of these alternatives in light of the ECJ decision, casting some doubt on the long term viability of even these remaining measures.
  2. Potential Grace Period for Compliance. In its statement, the Working Party urged the EU and the U.S. to negotiate a new bilateral agreement that would fix the defects on which the ECJ based its judgment. The statement went on to note that, “If by the end of January 2016, no appropriate solution is found with the U.S. authorities and depending on the assessment of the transfer tools by the Working Party, EU data protection authorities are committed to take all necessary and appropriate actions, which may include coordinated enforcement actions.” While far from explicit, this language may imply that the data protection authorities will withhold enforcement action until 2016 and may be providing an informal grace period for compliance with the ECJ’s decision.
  3. Transfers Relying Solely on Safe Harbor Not Lawful. The statement noted the Working Party’s unambiguous conclusion that after the ECJ’s decision, data transfers that rely solely on the Safe Harbor for compliance with European privacy law are no longer lawful.

Given the conclusions of the Working Party, companies previously relying on the Safe Harbor should promptly begin to examine the available alternatives, as waiting until next January to do so will leave little time to implement new systems. At the same time, the ambiguities in the latest Working Party’s statement mean that the planning will be a fluid process.