The decision of the Court of Justice of the European Union (CJEU) invalidating the U.S.-EU Safe Harbor in Schrems v. Data Protection Commissioner (C-362-14) left countless companies with questions concerning how broadly that decision will be interpreted; when and how the decision will be enforced; and whether and how companies can lawfully transfer data from the EU to the U.S. moving forward.  Earlier today, the Article 29 Working Party (the “Working Party”) released a statement that provided companies with insights into answers to some of those questions.  Significant questions remain.

Key points addressed in the statement included the following:

  • Immediate Impact of CJEU Judgment in Schrems: “Transfers that are still taking place under the Safe Harbor decision after the CJEU [October 6, 2015] judgment are unlawful.”
  • Standard Contractual Clauses and Binding Corporate Rules Are Valid Transfer Mechanisms (At Least for Now), but the Future is Cloudy
    • Advised that, at this point, Standard Contractual Clauses (“SCCs”) and Binding Corporate Rules (“BCRs”) can still be used, but that the Working Party is analyzing the impact of the CJEU opinion on other methods of transfer.
    • The Working Party appears open to the possibility of invalidating SCCs and BCRs as well.  It cited “massive and indiscriminate surveillance” in the U.S. as the key element of the CJEU’s analysis in Schrems.  The CJEU’s broad reasoning has led many (including Fey LLC) to predict that the CJEU judgment could be applied to SCCs and BCRs, which do not provide protections against mass governmental surveillance.
  • A New Safe Harbor is Still a Possibility—if Political, Legal and Technical Solutions Are Found that Respect EU Data Privacy Rights
    • Encouraged open discussions with U.S. authorities concerning solutions to enable personal data transfers to the U.S.
      • Noted that negotiations around a new Safe Harbor could be part of the solution.
      • Asserted that solutions should be assisted by clear, binding mechanisms for transfer.
      • Further asserted that solutions should include obligations on:
        • Oversight of access by public authorities;
        • Transparency;
        • Proportionality;
        • Redress mechanisms; and
        • Data protection rights.
  • The Working Party Provided an End of January 2016 Deadline for Development of a Solution with U.S. Authorities.
  • Before the End of January 2016: Data Protection Authorities (“DPAs”) Can Continue Data Protection Enforcement in Individual Cases
    • DPAs can continue to investigate particular cases and to exercise their powers to protect individuals.
    • For example, if an individual makes a complaint against a company for a particular data transfer, a DPA can investigate that complaint for violations of the EU Data Protection Directive.
  • After the End of January 2016: Potential for Coordinated Enforcement Activity Across the EU
    • If no appropriate solution between the U.S. and EU is found (e.g., a new Safe Harbor) by January 2016, DPAs have committed to take “all necessary and appropriate actions—which may include coordinated enforcement actions.”
    • The EU DPAs enforcement activities after January 2016 could also relate to transfer solutions beyond Safe Harbor (e.g., SCCs and BCRs), if the Working Party’s analysis of the impact on the CJEU judgment finds that such tools are no longer valid.
  • The Working Party Desires a Unified Enforcement Approach Across the EU
    • Stated that DPAs believe it is “absolutely essential” to have a robust, collective and common position on the implementation of the judgment.  Thus, it appears the goal is to ensure a united front from EU DPAs.
  • The Working Party’s Broad Advice to Companies Looking for Answers in the Wake of Schrems: Risk Assessment and Mitigation
    • Advised that businesses should reflect on risks they take when transferring data, and put in place any legal and technical solutions in a timely manner to mitigate those risks and respect the entire body of EU data protection law.
    • EU DPAs will be providing additional information at a national level (e.g., direct messages to companies relying on Safe Harbor; general messages on the DPA’s website).
Print Friendly, PDF & Email