Following the European Court of Justice’s decision in the Schrems case, which declared invalid the European Commission’s approval of Safe Harbor for US data transfers, EU national data privacy regulators met last week to discuss the consequences of the decision.
In a short statement (PDF) the group, known as the Article 29 Working Party, have said that:
- the question of massive and indiscriminate surveillance is a key element of the Court’s analysis
- the decision makes it clear that transfers still taking place under Safe Harbor are unlawful
- it is absolutely essential to have a robust, collective and common position on the implementation of the judgment
- pending the Article 29 Working Party’s further analysis of the decision on other transfer tools, standard contractual clauses (AKA the “Model Clauses”) and Binding Corporate Rules can still be used
- member states and the European institutions should “urgently” open discussions with the US to find legal and technical solutions that enable personal data to be transferred to the US in a manner that complies with EU law
It is interesting to note that the Article 29 Working Party is continuing to endorse (at least in the interim) the use of Model Clauses and Binding Corporate Rules for US data transfers. As has been noted here and elsewhere (for example, here), it is hard to see how the Model Clauses and Binding Corporate Rules offer data subjects any greater protection from “massive and indiscriminate surveillance” by the US authorities.
Timetable for enforcement action over Safe Harbor?
The Article 29 Working Party goes on to indicate that national regulators have given the European Commission and the US authorities three months to propose a replacement for Safe Harbor that complies with EU privacy laws before enforcement action will be taken against continued use of Safe Harbor:
If by the end of January 2016, no appropriate solution is found with the US authorities and depending on the assessment of the transfer tools by the Working Party, EU data protection authorities are committed to take all necessary and appropriate actions, which may include coordinated enforcement actions.
Whilst opinions of the Article 29 Working Party have no formal legal standing, they do reflect the collective views of the national regulators in terms of how they will interpret EU privacy laws.
The Schrems decision specifically states that national privacy regulators should be taking a more critical role in relation to international data transfers using transfer tools approved by the European Commission.
What should data controllers be doing?
In the meantime, the Article 29 Working Party encourages data controllers to review and assess their current reliance on Safe Harbor and to identify what steps can be taken to mitigate the risks to personal data:
in the context of the judgment, businesses should reflect on the eventual risks they take when transferring data and should consider putting in place any legal and technical solutions in a timely manner to mitigate those risks and respect the EU data protection acquis.
That will involve identifying the transfers that each data controller has in place, understanding what data is actually transferred and then considering what action should be taken in relation to each transfer.
If you would like to discuss the consequences of the Schrems decision or would like assistance in reviewing your organisation’s use of Safe Harbor, please get in touch.
On October 19, 2015