Following the Court of Justice ruling in the Schrems case, the European Commission intends to conclude discussions with US authorities on a new safe framework on transfer of personal data within 3 months.

The Commission's guidance analyses the consequences of the judgment and sets out the alternatives for transfers of personal data to the US in the meantime. The guidance clarifies that:

  • the Safe Harbour arrangement can no longer serve as a legal basis for transfers of personal data to the US;
  • the Commission will continue and finalise negotiations for a renewed and sound framework for compliant transatlantic transfers of personal data, notably as regards limitations and safeguards on access to personal data by U.S. public authorities;
  • other adequacy decisions will need to be amended to ensure that Data Protection Authorities (DPAs) are permitted to investigate complaints by individuals.

The alternatives are:

  • Contractual solutions: Model standard contractual clauses are available on the Commission website.
  • Binding Corporate Rules for intra-group transfers: Internal group transfer rules have to be authorised by the DPA in each Member State from which the group companies wish to transfer data.

The Commission has also published a Q&A document on transatlantic data transfers