The Court of Justice of the European Union (CJEU) has declared that the Commission's US Safe Harbour Decision 200/520 is invalid. This means that companies can no longer rely on Safe Harbour certification in order to legitimise the transfer of personal data from the EU to the US. Impacted companies will need to put alternative arrangements in place immediately to legitimise their transfers of personal data to the US, such as the Model Contractual Clauses or Binding Corporate Rules (BCRs).
The decision also means that the Data Protection Commissioner (the DPC) must now examine and decide whether, pursuant to the Data Protection Directive 95/46/EC, transfer of the data of Facebook's European subscribers to the US should be suspended on the ground that that country does not afford an adequate level of protection of personal data.
The CJEU's decision will put further pressure on the EU-US to reach a speedy agreement on the reform of Safe Harbour. Negotiations have been stuck for some time on the European Commission's recommendation that US authorities should only be allowed to access data covered by Safe Harbour to the extent that is strictly necessary or proportionate to the protection of national security. This effectively requires US authorities to restrict their electronic data surveillance practices. The CJEU's decision today shows the importance of this revision being agreed to in order for the negotiations to move forward. For further information please click here.
Following the landmark ruling the EU data protection authorities assembled in the Article 29 Working Party have discussed the first consequences to be drawn at European and national level.
The Court’s judgment requires that any adequacy decision implies a broad analysis of the third country domestic laws and international commitments. Therefore, the Working Party is urgently calling on the Member States and the European institutions to open discussions with US authorities in order to find political, legal and technical solutions enabling data transfers to the territory of the United States that respect fundamental rights.
In the meantime, the Working Party will continue its analysis on the impact of the CJEU judgment on other transfer tools. During this period, data protection authorities consider that Standard Contractual Clauses and Binding Corporate Rules can still be used.
If by the end of January 2016, no appropriate solution is found with the US authorities and depending on the assessment of the transfer tools by the Working Party, EU data protection authorities are committed to take all necessary and appropriate actions, which may include coordinated enforcement actions.