Background On 16 October, the Article 29 Working Party released a statement (“Statement”) on the implications of the Court of Justice of the European Union’s (“CJEU”) judgment in Maximillian Schrems v Data Protection Commissioner (C-362-14). In that judgment, the CJEU invalidated the Safe Harbor regime, which for 15 years had been one of the main tools available to businesses to legitimise transfers of personal data from the EU to the United States. Read our Client Alert on the judgment.
The Article 29 Working Party (“Working Party”), which was established under Directive 95/46/EC, is a body made up of representatives from the data protection authorities of each EU Member State, as well as representatives from the European Commission and the European Data Protection Supervisor.
The Statement The Statement’s core message is that businesses should expect to see national authorities taking robust enforcement steps where appropriate. There will be a “robust, collective and common position” on the implementation of the CJEU’s judgment, and businesses that relied on Safe Harbor should be looking to implement new measures to legitimise data transfers to the United States, since such transfers are now unlawful. The use of Standard Contractual Clauses and Binding Corporate Rules “will not prevent data protection authorities [from investigating] particular cases, for instance on the basis of complaints.” The Statement also promises further information campaigns to be released by national authorities over the coming months, and indicates that there is potential for direct information to be provided to known companies that relied on Safe Harbor.
The way forward In the short term, the Working Party’s position is that Standard Contractual Clauses and Binding Corporate Rules can still be used. However, the CJEU’s judgment has the potential to cause a domino effect, with Safe Harbor being the first to fall.
The Statement recalls that a key consideration in the court’s ruling was the massive and indiscriminate surveillance carried out by U.S. intelligence authorities. To this end, the Working Party restates its view that such surveillance is incompatible with the EU legal framework, and that “existing transfer tools are not the solution to this issue.”
The Working Party calls on Member States and European institutions to open discussions with the United States in order to find political, legal and technical solutions enabling the transfer of personal data to the United States, with adequate respect for fundamental rights. Such solutions should include binding mechanisms, and in particular there should be oversight of access by public authorities.
Where does it leave us? The Working Party’s Statement is a clear call to action for businesses. Significantly, it states that if by the end of January 2016 no appropriate solution is found with the United States, the EU data protection authorities are “committed to take all necessary and appropriate actions, which may include coordinated enforcement actions.”
National data protection authorities are waking up to the court’s ruling, which has created a huge potential for an increase in enforcement activity. Some, like the French CNIL, have already put the Working Party’s Statement on their front page. The immediate implications of the judgment are on data transfers between the EU and the United States, but the principle behind it is that national authorities should look behind the use of legitimising techniques such as Standard Contractual Clauses and Binding Corporate Rules to see what the reality is. This will require businesses to take a hard look not just at the contracts that they have in place, but also on what happens in reality. This will become increasingly important as the countdown to the implementation of the General Data Protection Regulation approaches, since the sanctions that authorities can impose will increase to €1 million, or between 2% to 5% of gross annual turnover.
In addition to the potential for enforcement by national data protection authorities, businesses should be mindful of the potential for increased litigation as a result of the CJEU’s judgment. In particular, when the General Data Protection Regulation comes into effect, it is widely expected that mandatory data breach notification provisions will trigger an increase in litigation, with individuals claiming damages for the disclosure of their data. Claims of this type should not be considered trivial, as the litigation process will entail scrutiny of businesses’ data protection frameworks.
The judgment has also had an impact on data protection law outside of the EU and the United States. Recently, Israel’s ILITA (the national data protection authority) announced that in light of the CJEU’s ruling, Safe Harbor can no longer be used to effect transfers from Israel under the Privacy Protection Regulations (Transfer of Data to Databases Outside of Israel) 2001.