Update to Legal Update: Data Protection Authorities to Provide Guidance after the Invalidation of EU-US Safe Harbor Framework
Following the landmark decision (C-362/14) of the Court of Justice of the European Union (”CJEU”) by which the EU-US Safe Harbor Framework was rendered invalid (please see our Legal Update regarding the decision), the EU data protection authorities assembled in the Article 29 Working Party (WP29) provided further guidance on the practical implementation of the decision on 16 October 2015.
Summary of WP29’s statement:
- Transfers from the European Union to the United States that are still taking place under the Safe Harbour arrangement after the CJEU judgment are unlawful.
- The existing transfer tools (the Standard Contractual Clauses (SCC) and Binding Corporate Rules (BCR, which is a set of rules for intra-group transfers), and the reliance on data subject’s consent) can still be applied to transfers at least until the end of January 2016.
- During such “grace period”, the WP29 will continue its analysis of the impact of the CJEU judgment on such other transfer tools as, in the long run, the existing transfer tools do not provide a solution to the key element of the CJEU’s analysis i.e. the issue of “massive and indiscriminate” access to information by the U.S. government, which the CJEU found to go beyond what is necessary in a democratic society.
- The WP29 urges the Member States and the European institutions to discuss with the US authorities in order to find political, legal, and technical solutions enabling data transfers to the territory of the U.S. that respect fundamental rights. If, by the end of January 2016, no appropriate solution is found between the EU and the U.S. authorities and depending on the assessment of the transfer tools by the WP29, the EU data protection authorities are committed to take all necessary and appropriate actions, including joint enforcement actions. Obviously, this will put pressure and emphasis on the Safe Harbor 2.0 negotiations, which have been ongoing between the EU and U.S. for almost two years.
Next steps for companies to consider
Although SCC may eventually face the same challenges as the Safe Harbor, at the moment and until the expiry of the grace period, SCC would be a good “quick fix” for the EU-US transfers.
When it comes to BCR, as the same uncertainties exist around the legitimacy of BCRs, it may not be advisable, at the current situation, for multinational companies to initiate a time and money consuming process for implementing BCR.
We will continue to closely monitor this subject matter. Please feel free to contact our data protection & privacy specialists should you have any questions.