The EU’s Article 29 Working Party issued a statement today on the recent Schrems decision invalidating the adequacy of the EU-U.S. Safe Harbor framework, emphasizing that affected businesses should start to put in place legal and technical solutions in a timely manner to meet EU data protection standards. The statement gave a January 2016 deadline for companies to come into compliance with the ruling, at which point EU data protection authorities would be “committed to take all necessary and appropriate actions, which may include coordinated enforcement actions.” In response, we publish here a high-level analysis of the possible options available for companies—including the EU Standard Contractual Clauses, Intra-Group Agreements and other ad-hoc contracts, Binding Corporate Rules, Safe Harbor 2.0, and consent—and the pros and cons of choosing each one.
The recent decision by the Court of Justice of the European Union invalidating the adequacy of the EU-U.S. Safe Harbor framework has left a considerable gap in the options available to multi-national and EU companies that previously relied on Safe Harbor to legitimize data transfers to the United States. This puts these companies in a quandary, particularly with respect to how they handle EU data already transferred to the U.S. under Safe Harbor, and how they will continue to conduct trans-Atlantic business without a valid cross-border mechanism in place.
The EU data protection authorities, however, have made it clear that they expect those companies to ensure an adequate level of protection for European data at all times. In a nutshell, today’s statement by the Article 29 Working Party—comprised of the representatives of the data protection authorities of each EU Member State—reflected the following key views of the group:
- Safe Harbor 1.0 is no longer valid because it did not consider indiscriminate U.S. government surveillance
- A new, negotiated Safe Harbor 2.0 could be part of the solution in the future
- In the meantime, the Working Party will continue to analyze other available transfer tools, during which time Standard Contractual Clauses and Binding Corporate Rules can still be used
- That said, as pointed out by the Court in Schrems, these transfer mechanisms can be subject to investigation by data protection authorities to protect individuals in “particular cases,” for instance on the basis of complaints
Before the January 2016 enforcement deadline, companies that previously relied on Safe Harbor for their EU-to-U.S. transfers should consider these other transfer mechanisms.
To assist in the assessment of these mechanisms, we publish here International Data Transfers: Considering your options, a high-level analysis of the main data transfer alternatives to Safe Harbor.