On Tuesday October 6th the Court of Justice of the European Union (CJEU) handed down its judgment in Case C-362/14 Maximillian Schrems v Data Protection Commissioner. The table below correlates the statements made by each Data Protection Authority in the European jurisdictions Bird & Bird operates in.

Belgium

Authority: Commission de la Protection de la Vie Privée (in English: Commission for the Protection of Privacy)

Date: 06 October 2015

Linkhttp://www.privacycommission.be/fr/La-cour-de-justice-de-lunion-europeenne-sest-prononcee-sur-la-sphere-de-securite

Language: French (also available in Dutch)

Short summary: The Commission only stated that it would analyse the decision jointly with the other data protection authorities during the meeting of the Art 29 group – given its importance coordination is required – and would revert with its decisions and opinion on Friday 15 October.

Czech Republic

Authority: Úřad pro ochranu osobních údajů (in English: The Office for Personal Data Protection)

Authority: Office for Personal Data Protection of the Czech Republic

Date: 09 October 2015

Language: Czech

Linkhttps://www.uoou.cz/neplatnost-rozhodnuti-komise-o-tzv-safe-harbor/d-16865/p1=1099

Short Summary: "On 6 October the European Court of Justice adopted a fundamental decision on transfer of personal data between the EU and the USA. In case C-362/14 Maximillian Schrems vs. Data Protection Commissioner the CJEU ruled that the Commission decision 2000/520, which states that the USA under the procedure known as "safe harbor" ensure adequate level of protection of personal data transferred, is invalid. The Czech Data Protection Authority has been alerting over a long period the data exporters exporting the data to US that the participation of data recipients in Safe Harbour cannot factually ensure the adequate level of protection of data in US, which was finally confirmed by the authority of CJEU."

Denmark

Authority: Datatilsynet

The Data Protection Authority in Denmark has not yet made a public announcement.

The Danish Data Protection Authority said they will not provide a statement on the decision of the CJEU until after the data protection authorities' joint meeting next week. They recommend not sending authorisation requests where transfers are based on Safe Harbors until after the meeting.

Finland

Authority: Tietosuojavaltuutettu (in English: Data Protection Ombudsman)

Date: 07 October 2015

Link:http://www.tietosuoja.fi/fi/index/ajankohtaista/tiedotteet/2015/10/euntuomioistuinantoipaatoksenliittyensafeharboriin.html

Language: Finnish

Summary: The Finish Data Protection Authority has only made a brief statement notifying that the decision by the CJEU was given. It is expected that more information will be provided after the data protection authorities' joint meeting next week, given a recent interview of the Data Protection Authority in the press.

France

Authority: CNIL – Commission Nationale de l’Informatique et des Libertés (in English: French Data Protection Authority)

Date: 07 October 2015

Linkhttp://www.cnil.fr/linstitution/actualite/article/article/invalidation-du-safe-harbor-par-la-cour-de-justice-de-lunion-europeenne-une-decision-cl/

Language: French

Short summary: The CNIL welcomes the CJEU decision as a key decision for the protection of personal data. According to the CNIL, data protection authorities will need to assess the validity of transfers of personal data that are submitted to them, taking into account the fact that the US situation is not “adequate”. The CNIL will shortly meet its EU counterparts at the meeting of the Article 29 Working Party in order to determine more precisely the legal and operational consequences of the CJEU decision regarding transfers of personal data that have been carried out on the basis of the Safe Harbor.

The CNIL has also updated the page of its website dedicated to obligations for international transfers of data by stating that it is not possible anymore to transfer personal data on the basis of Safe Harbor (available in French at http://www.cnil.fr/vos-obligations/transfert-de-donnees-hors-ue/).

Germany

Authority: Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (in English: Federal Commissioner for Data Protection and Information Freedom)

Date: 06 October 2015

Link:http://www.bfdi.bund.de/DE/Infothek/Pressemitteilungen/2015/21_EuropaeischerGerichtshofKipptSafeHarbor.html?nn=5217040

Language: German

Short summary: The Federal Commissioner for Data Protection and Information Freedom welcomes the CJEU decision stating that the court rendered a milestone judgement for data protection. It further stressed that the judgement strengthens the powers of European data protection authorities and that data flows to the US need to be reconsidered in the light of the CJEU's decision. The Federal Commissioner announced that it will now thoroughly examine and discuss the decision as well as its consequences with other European data protection authorities to align on further steps.

Other German data protection authorities (e.g. Berlin, Hamburg and Bavaria) have also published press releases, all of them welcoming the decision (all in German).

Berlinhttp://www.datenschutz-berlin.de/attachments/1149/711.352.1.pdf?1444123845

Hamburghttps://www.datenschutz-hamburg.de/news/detail/article/eugh-kippt-transatlantisches-safe-harbor-abkommen.html

Bavariahttps://www.datenschutz-bayern.de/presse/20151007_eugh.html

Hungary

Authority: NAIH - Nemzeti Adatvédelmi és Információszabadság Hatóság (in English: Hungarian National Authority for Data Protection and Freedom of Information)

Date: 06 October 2015

Linkhttp://naih.hu/files/2015-10-06-Kozlemeny---Safe-harbor.pdf

Language: Hungarian

Short summary: The NAIH welcomes the CJEU decision and stressed that there is a need for thorough review of the data flows to the US. The NAIH is evaluating the possible consequences of the CJEU ruling and liaising with the data protection authorities of other Member States. The results of these discussions can be expected within the next few weeks.

Italy

Authority: Garante per la protezione dei dati personali (in English: Italian Data Protection Authority)

Date: 06 October 2015

Linkhttp://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/4308245

Language: Italian

Short summary: The Garante firmly welcomes the CJEU decision as it draws the attention of the Member States, once again, to the fundamental rights of individuals and the need to protect them, in particular the protection of data outside the EU. The Garante strongly emphasises its view on the inadmissibility, after the Nice Charter, of indiscriminate surveillance and access by third parties authorities that do not act within the EU data protection rules. The Garante calls for a need for real and concrete protection of the data and states that it is now time for a coordinated action at EU level to identify effective ways to reach a mutual position and guidance.

Netherlands

Authority: College bescherming persoonsgegevens (in English: Dutch Data Protection Authority)

Date: 6 October 2015

Linkhttps://cbpweb.nl/nl/nieuws/reactie-cbp-op-safe-harbour-uitspraak-europees-hof

Language: Dutch

Short summary: The CJEU has declared the Safe Harbour agreement between European countries and the United States invalid. For some time now, the European data protection authorities have been of the opinion that additional safeguards are required for transfers of personal data to the US. This ruling underlines once again underlines the great importance of data protection, and that data protection is a fundamental right. It is important that supervisors can always conduct independent research and thus continue to uphold the rights of European citizens whose data travels around the world. The European privacy regulators will come together later this week to discuss this matter.

Ard-Jan and Gerrit-Jan also wrote a short Dutch newsflash on the ruling:http://birdbuzz.nl/2015/10/08/hvj-eu-verklaart-us-safe-harbor-beschikking-ongeldig/

Poland

Authority: GIODO – Generalny Inspektor Ochrony Danych Osobowych (in English: Inspector General for Personal Data Protection)

Date: 07 October 2015                                                     

Linkhttp://www.giodo.gov.pl/520/id_art/8896/j/pl/  and

http://www.giodo.gov.pl/1520123/id_art/8894/j/pl/ (the last is a reference to the EU Article 29 Data Protection Working Party's statement on the CJEU ruling.

Language: Polish

Short summary: According to the statement of the Press Spokeswoman of the GIODO, it is necessity to adopt a uniform approach by all data protection authorities concerning the CJEU decision. This is why the EU Article 29 Working Party should now examine the consequences of annulling the Commission's decision on ensuring an adequate level of protection within the Safe Harbor program.

The Press Spokeswoman of the GIODO already positively assessed the fact that the CJEU confirmed in its judgment that data protection rights constitute an integral part of EU fundamental rights. Given that the CJEU's judgment will trigger significant consequences for all the stakeholders of subjected data (data protection authorities and enterprises), the Article 29 Working Party will hold an extraordinary meeting this week dedicated to this subject in order to ensure a coordinated analysis of the CJEU's judgment and draw the first conclusions concerning personal data transfers being conducted within the Safe Harbor program, as well as by other means (Binding Corporate Rules and standard contractual clauses).

It is expected that the official standpoint of the Polish Data Protection Authority will be known after the meeting.

Slovakia

Authority: Office for Personal Data Protection of the Slovak Republic

Date: 08 October 2015

Language: Slovak

Linkhttp://dataprotection.gov.sk/uoou/sk/content/sudny-dvor-vyhlasil-rozhodnutie-vo-veci-schrems-vs-data-protection-commisioner

Short Summary: the Slovak Data Protection Authority has only published a short summary in relation to the CJEU's decision which is as follows, "On 6 October the European Court of Justice adopted a fundamental decision on transfer of personal data between the EU and the USA. In case C-362/14 Maximillian Schrems vs. Data Protection Commissioner the CJEU ruled that the Commission decision 2000/520, which states that the USA under the procedure known as "safe harbor" ensure adequate level of protection of personal data transferred, is invalid."

Spain

Authority: AEPD – Agencia Española de Protección de Datos (in English: Spanish Data Protection Agency)

Date: 06 October 2015

Link:http://www.agpd.es/portalwebAGPD/revista_prensa/revista_prensa/2015/notas_prensa/news/2015_10_06-ides-idphp.php

Language: Spanish

Short summary: The AEPD summarises the decision and highlights the importance of data protection authorities to safeguarding data protection, not only in the EU but also in relation to international data transfers. According to the AEPD, the decision is crucial to the way international data transfers to the US are carried out and it strengthens the importance of data protection.

The AEPD points out that the European data protection authorities were already aware of the deficiencies of Safe Harbor and stated them in several papers. The AEPD assures that data protection authorities have planned to coordinate the analysis of the decision and the national measures to be taken so that the decision is applied in a consistent manner across the EU.

Sweden

Authority: Datainspektionen (in English: the Swedish Data Protection Authority)

Date: 06 October 2015

Linkhttp://www.datainspektionen.se/press/nyheter/2015/eu-domstolen-ogiltigforklarar-kommissionens-beslut-om-adekvat-skydd/

Language: Swedish.

Summary: The Swedish Data Protection Authority has only made a brief statement summarising the decision by the CJEU.

United Kingdom

Authority: ICO - Information Commissioner's Office

Date: 06 October 2015

Linkhttps://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2015/10/ico-response-to-ecj-ruling-on-personal-data-to-us-safe-harbor/

Language: English

Summary: The ICO statement recognises the significance of the decision, the need for regulators/legislators to provide a unified response and that it will take some time for data controllers to make alternative arrangements where they had previously relied on Safe Harbor for US transfers – in other words a ‘don’t panic, but review your position’ message for organisations. It also notes the importance of ongoing trade discussions between US and European bodies. The ICO stresses that Safe Harbor was just one of the available legal bases for EU-US transfers and that the ruling does not affect (1) the use of EU approved standard contractual clauses as part of data protection agreements; (2) the use of Binding Corporate Rules; (3) reliance on statutory exemptions such as the consent of individuals; and (4) the ability of controllers to 'self-assess' adequacy. We would be happy to assist assessment of these matters.