Late on Friday 16 October, Europe’s data protection regulators issued an opinion enabling ongoing transfers of personal information from the EU to the US, at least for the time being.
This followed on from the CJEU’s 6 October decision in the Schrems case that the so-called “safe harbor” regime used by more than 4000 US companies to legitimize the import of EU personal information was invalid.
Following that decision a number of German data protection authorities ruled that “model clauses”, another mechanism used by thousands of other organisations to legitimize EU to US transfers, were also invalid.
There was growing concern that the Article 29 Working Party, an influential body representing Europe’s data protection authorities, would follow the German approach creating more uncertainty and removing one of the few remaining limbs to support transfer.
Businesses on both sides of the Atlantic can breathe a sigh of relief. The opinion, although far from categorically supporting the other transfer mechanisms, preserves them intact, at least for the time being. The Working Party:
- Calls for a robust, collective and common position on the implementation of the Schrems judgment.
- Calls on Member States and the European institutions to open discussions with the US authorities to find political, legal and technical solutions enabling data transfers that respect the fundamental rights of European citizens.
- States that in the meantime it will continue its analysis on the impact of the judgment on other transfer tools.
- States that for the time being, “data protection authorities consider that Standard Contractual Clauses and Binding Corporate Rules can still be used” though with a warning that this does not prevent local data protection authorities investigating particular transfers.
- States that if a solution isn’t found by the end of January 2016 and depending on its assessment of the various different transfer tools, “EU data protection authorities are committed to take all necessary and appropriate actions, which may include coordinated enforcement actions.”
- Calls on businesses to reflect on the risks they take when transferring data and consider putting in place any legal and technical solutions in a timely manner to mitigate those risks and respect EU data protection laws.
The Commission has been caught unprepared for the consequences of the Safe Harbor ruling which left Europe’s data protection authorities in a difficult position. There will have been intense debate over the last week in the Article 29 Working Party reflecting widely diverging views among Member State authorities. This was far from a straightforward task and the opinion should be welcomed for enabling ongoing data transfers, whilst preserving the right for individual Member States to investigate particular transfers.
However, we certainly aren’t out of the woods yet. Some Member States have already taken a much more restrictive approach to transfer and last week’s ruling is fodder for follow-on litigation by privacy activists, disgruntled employees and consumers. Organisations need to assess their exposure and make sure that their transfer solutions still work.
The Working Party has added to the pressure on the Commission and Member State governments to reach agreement with the US on a longer term legal solution to this problem by imposing a deadline of the end of January 2016 after which they threaten coordinated enforcement action.
Although the guidance of the Article 29 Working Party is not law as such, it is influential and is invariably followed by national data regulators and courts. Datonomy will continue to monitor developments.
Olswang’s analysis of the CJEU’s decision and a guide to the pros and cons of the alternative transfer mechanisms is here.