More Guidance from Europe on Safe Harbor Decision
Today, the European Commission’s Article 29 Working Party (the “Working Party”) issued a statement
calling for political action and providing critical guidance regarding the legal framework for EU-US data transfers following the decision last week by the Court of Justice of the European Union (“ECJ”) invalidating the EU-US Safe Harbor agreement (“Safe Harbor”) in Maximillian Schrems v. Data Protection Commissioner
Following the Schrems
decision, some observers warned that the ECJ’s reasoning for striking down Safe Harbor might lead to the invalidation of alternative legal bases for EU-US data transfers, such as Standard Contractual Clauses and Binding Corporate Rules. Earlier this week, those warnings proved prescient when a regional German DPA issued a position paper directly challenging the continued validity of some of these alternative legal mechanisms. These developments have generated uncertainty and concern for companies seeking to ensure compliance with EU data privacy laws, including companies that did not previously rely on Safe Harbor as a legal basis for their EU-US data transfers.
Today’s statement from the Working Party provides a measure of reassurance for businesses that have been forced to re-evaluate the legal basis for their EU-US data transfers in the wake of Schrems
. Perhaps most importantly, the Working Party stated that, at least in the immediate term, “data protection authorities consider that Standard Contractual Clauses and Binding Corporate Rules can still be used” as alternative legal mechanisms for data transfers to the U.S. However, the long-term viability of these alternative mechanisms remains unclear. The Working Party explained that ongoing “massive and indiscriminate surveillance” by the U.S. government “is incompatible with the EU framework” and “existing transfer tools are not the solution to this issue.” Accordingly, the Working Party called for political action on the part of the EU member states and further dialogue with the U.S. in order to reach a comprehensive resolution of this issue.
Reaction to Schrems Preceding the Working Party’s Statement
Prior to today’s statement from the Working Party, few DPAs had issued formal guidance regarding the impact of the Schrems
decision, although some had released statements suggesting the continued viability of alternative legal mechanisms for EU-US data transfers. For example, Deputy Commissioner of the UK Information Commissioner’s Office, David Smith, stated, “It is important to bear in mind that the Safe Harbor is not the only basis on which transfers of personal data to the US can be made. Many transfers already take place based on different provisions.”
Likewise, in the European Commission’s press conference following the ruling, one Commissioner noted that “[t]he EU data protection rules provide for several other mechanisms that provide safeguards for international transfers of personal data, for instance through standard data protection clauses . . . or binding corporate rules for transfers within a corporate group.”
The Irish Data Protection Commissioner stated that “the significance of the judgment extends far beyond the case presently pending” but did not expressly comment on alternative legal mechanisms.
However, on October 14, the DPA for the German state of Schleswig-Holstein (“ULD”) issued a controversial position paper challenging the continued validity of some alternative legal mechanisms in light of Schrems
The ULD explained that the same fundamental reason for the ECJ’s invalidation of Safe Harbor – the U.S. government’s electronic surveillance activities – compelled the invalidation of certain alternative legal bases for such transfers, including Standard Contractual Clauses and data-subject consent. The head of the ULD, Marit Hansen, stated that “a significant change in U.S. law” would be required and suggested that companies reconsider all data transfers to the U.S. On the same day, the Civil Rights Committee of the EU Parliament (“LIBE”) called for immediate guidance from the European Commission regarding the effect of the Schrems
decision on alternative legal bases for EU-US data transfers.
Working Party Statement
As noted above, today’s Working Party statement provides a measure of reassurance for businesses, as it appears that, at least in the near term, companies can continue to rely upon Standard Contractual Clauses and Binding Corporate Rules as legal bases for their EU-US data transfers. However, the Working Party warned that, notwithstanding its statement regarding the use of Standard Contractual Clauses and Binding Corporate Rules, “this will not prevent data protection authorities to investigate particular cases, for instance on the basis of complaints, and to exercise their powers in order to protect individuals.” Therefore, the possibility remains that a national DPA might investigate a particular data transfer, even one that is based on the use of such tools.
The Working Party’s statement highlighted the need for political action to develop a new framework for EU-US data transfers. The statement emphasized that ongoing U.S. government surveillance activities are “incompatible” with the EU privacy framework and that “existing transfer tools are not the solution to this issue.” Therefore, the Working Party is calling for political action by EU member states and further dialogue with the U.S. government, including the ongoing negotiations around a new Safe Harbor framework.
Other key points from the Working Party’s Statement include:
Transfers that are still taking place under Safe Harbor are unlawful following Schrems;
EU data protection authorities will undertake information campaigns at the national level, including direct information to all known companies relying on Safe Harbor;
If no “appropriate solution” is reached by January 2016, depending on the assessment of transfer tools by the Working Party, EU DPAs may undertake coordinated enforcement actions; and
Businesses should carefully consider the risks associated with data transfers and “should consider putting in place any legal and technical solutions in a timely manner to mitigate those risks.”
and the Working Party’s statement, it is important for companies involved in EU-US data transfers, including companies that did not previously rely on Safe Harbor, to monitor these continuing developments regarding the evolving legal framework for such transfers.
This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances.