Following the decision of the ECJ on 6 October 2015 declaring the EU-US Safe Harbor system for data transfer invalid, the Article 29 Working Group of European data protection authorities has now issued a statement setting out its views on several critical issues going forward.
The WP29 comprises all of the national Data Protection Authorities across the EU. Although the WP29’s statement it not decisive, it is influential and welcome in light of conflicting signals that had been coming from different data protection authorities, particularly in Germany. The statement addresses the steps that must be taken by the EU Institutions to resolve the concerns identified in the CJEU’s judgment, and clarifies the WP29’s position on the measures that should be implemented by Safe Harbor-certified companies in the interim.
The statement emphasizes that transfers relying on Safe Harbor are now unlawful. The WP29 considers that, on an interim basis, the EU Standard Contractual Clauses (or Model Clauses) and Binding Corporate Rules (BCRs) can still be relied upon to legitimize transfers of EU personal data to the United States, pending negotiations over the future of the Safe Harbor arrangements. During that time, the WP29 will “continue its analysis of the impact of the CJEU judgment on other transfer tools” (including the Model Clauses and BCRs). National data protection authorities will in the meantime exercise their powers in response to complaints if necessary to protect individuals’ privacy rights.
The statement indicates that if no appropriate solution is found between the EU and the US authorities by the end of January 2016 EU data protection authorities are committed to take all necessary and appropriate actions, which may include coordinated enforcement actions.
Click here for a copy of the statement: