The group of EU data protection regulators (the Article 29 Working Party) have issued their first guidance on last week’s landmark decision of the Court of Justice of the European Union (CJEU) to declare the “Safe Harbor” arrangements invalid.
The regulators have reiterated the Court’s view that indiscriminate data gathering by US law enforcement and intelligence agencies is incompatible with EU data protection standards. They have called for EU member states and institutions to urgently engage with US authorities to find a solution, in the form of an inter-governmental agreement.
In order to satisfy the parameters set in the CJEU ruling, it is likely that such an agreement would have to provide assurances as to the necessity and proportionality of data gathering, and provide EU citizens with rights of legal redress in the US. Agreeing these points with US authorities is likely to be far from straightforward.
The Article 29 Working Party says it will continue its analysis of the impact of the CJEU ruling on other methods of data transfer. This is a concern as the regulators seem to be saying that they might later say that other methods of transfer are also invalid. There is no clear indication that any other guidance will be forthcoming however, although they do refer to each data protection authority carrying out awareness raising campaigns. This is a again a little concerning if it means there will be a fragmented, national approach rather than a coordinated EU-wide one.
In the meantime, the regulators have confirmed that transatlantic data transfers which are legitimised on the basis of alternative protection arrangements (for example, by using Standard Contractual Clauses) will continue to be permitted.
The guidance goes on to make it clear that any data transfers that rely only on the US recipient’s Safe Harbor registration are automatically unlawful from the date of the CJEU’s ruling. So, that seems to be a clear signal that no action will be taken for transfers under Safe Harbor up to that time (hardly surprising), but there is no guarantee that enforcement action won’t later be taken in relation to personal data transfers happening now.
Whilst their analysis of the judgment is ongoing, it is clear from the guidance that the regulators are not prepared to wait too long before taking enforcement steps. The statement says that if no appropriate inter-governmental solution is found by the end of January 2016, the regulators will consider taking co-ordinated enforcement action.
Businesses which transfer personal data to America should therefore urgently review their current data transfer arrangements in order to determine whether such transfers can continue to be lawfully justified and make any necessary changes to those arrangements.