Following the Court of Justice ruling in the Schrems case, the European Commission intends to conclude discussions with US authorities on a new safe framework on transfer of personal data within 3 months.
The Commission's guidance analyses the consequences of the judgment and sets out the alternatives for transfers of personal data to the US in the meantime. The guidance clarifies that:
- the Safe Harbour arrangement can no longer serve as a legal basis for transfers of personal data to the US;
- the Commission will continue and finalise negotiations for a renewed and sound framework for compliant transatlantic transfers of personal data, notably as regards limitations and safeguards on access to personal data by U.S. public authorities;
- other adequacy decisions will need to be amended to ensure that Data Protection Authorities (DPAs) are permitted to investigate complaints by individuals.
The alternatives are:
- Contractual solutions: Model standard contractual clauses are available on the Commission website.
- Binding Corporate Rules for intra-group transfers: Internal group transfer rules have to be authorised by the DPA in each Member State from which the group companies wish to transfer data.
The Commission has also published a Q&A document on transatlantic data transfers