The Article 29 Working Party has, today, published its Statement following the Safe Harbor decision last week. It’s been confirmed that Model Contracts (a.k.a. Standard Contractual Clauses) and Binding Corporate Rules can still be used.
The DPAs also say that “it is absolutely essential to have a robust, collective and common position on the implementation of the judgement”. Similarly, Giovanni Buttarelli, European Data Protection Supervisor said he was “largely optimistic” (as just reported by the IAPP) about the future of cross-border data transfers with the US.
Further, the Working Party is urgently calling on member states and EU institutions to open discussions with the US authorities to find political, legal and technical solutions to enable data transfers to the US. Clearly this is key.
Confirmation on Safe Harbor
As per last week’s Court Decision, Safe Harbor is invalid: No news here!
Can alternative transfer tools be used?
Yes! The Working Party says that Standard Contractual Clauses and Binding Corporate Rules can still be used. This was the line taken by the ICO last week.
However, pending agreement of upgraded arrangements for data transfer with the US, the Working Party says it will continue “its analysis on the impact of the CJEU judgment on other transfer tools”. If, by the end of January 2016, no solution is found with the US authorities and, depending on the assessment of other transfer tools by the Working Party, the EU DPAs are “committed to take all necessary and appropriate actions, which may include coordinated enforcement actions”.
This sounds like a grace period until the end of January for those who previously used Safe Harbor while retaining local DPAs rights to investigate and exercise powers based on particular concerns or complaints. Clearly, that will depend on local regulatory policy and culture.
A new deal with the US?
It’s clear from the Statement today that the Working Party follows the Court view on mass surveillance and compatibility with EU law. The Working Party is saying that a new deal with the US would involve political, legal and technical solutions in order to secure respect for fundamental rights (i.e., data protection). It also suggests that solutions could be found through the negotiation of an intergovernmental agreement that provides stronger guarantees for EU data subjects. So this is a broader issue that the current negotiations around a new Safe Harbor 2.0 although that could be “a part of the solution”. The Working Party is likely also looking for new law on oversight of surveillance and EU citizens’ data rights as minimum requirements.
What do we make of this?
The Statement is clearly the result of competing views on what should happen next. It gives a clear statement that Model Contracts and BCRs can still be used (good news). But it is a complicated picture. However, this doesn’t change our earlier recommendation that companies should identify data flows previously covered by Safe Harbor, assess the priority level and consider implementing one of the other solutions. Much will depend on the nature of your business, the data being transferred and the regulatory risk in particular jurisdictions in order to best assess next steps.