DPAs ready to take enforcement action if no solution found to US transfers by end of January 2016

On 6 October, the Court of Justice of the European Union (CJEU) declared the Safe Harbor Decision of the European Commission invalid. The CJEU invalidated the Safe Harbor as a basis for transferring personal data to the US but the protection offered by Safe Harbor certified members to the personal data which they process still remains a legal duty. National Data Protection Authorities (DPAs) in the EU Article 29 Working Party occupy different places along the critical spectrum, as do the different States (Länder) within Germany. Given the different views of DPAs in Europe, it is difficult for the Article 29 Working Party to agree on a clear and specific common approach. A plenary session took place on 15 October and the Article 29 Working Party issued a Statement on 16 October which said:

  • “it is absolutely essential to have a robust, collective and common position on the implementation of the judgment”
  • “the question of massive and indiscriminate surveillance is a key element of the Court’s analysis…..such surveillance is incompatible with the EU legal framework and that existing transfer tools are not the solution to this issue”
  • “the current negotiations around a new Safe Harbour could be a part of the solution”
  • “transfers that are still taking place under the Safe Harbour decision after the CJEU judgment are unlawful”
  • “Standard Contractual Clauses and Binding Corporate Rules can still be used”
  • "if by the end of January 2016, no appropriate solution is found with the US authorities and depending on the assessment of the transfer tools by the Working Party, EU DPAs are committed to take all necessary and appropriate actions, which may include coordinated enforcement actions"

Binding Corporate Rules and EU standard model clauses

DPAs can withdraw their approval for a company’s Binding Corporate Rules declaration, although we are not aware of any DPAs which have threatened to do so.

Even if your organisation uses the EU standard model clauses or Binding Corporate Rules as a legal basis for transferring personal data to the US, there is no guarantee that the US National Security Agency and other law enforcement agencies will not access the data. National security is a matter of national competence and, therefore, not within the competence of the European Union. At present, there are no cases where the EU standard model clauses have been challenged before the CJEU. The adequacy Decisions of the European Commission for these clauses are likely to stay as they are and be recognised by the EU Data Protection Regulation as well when it is finally agreed. Only the CJEU can invalidate them or the European Commission can withdraw the underlying Decisions. However, DPAs might challenge whether data importers are fully compliant with the EU model clauses, because of the broad powers of law enforcement agency in the US and the lack of remedies by EU data subjects.

The US Swiss Safe Harbor

The strong Statement dated 7th October 2015 by Switzerland’s Data Protection Commission on recommended action following the CJEU decision is: “If data has to be stored externally, it should wherever possible be stored by European providers on servers in Europe. Swiss businesses and authorities that use products and services provided by American companies should enter into additional agreements to secure better protection for the persons concerned and their data.”

Privacy Laws & Business will soon announce the programme for a Roundtable with the European Data Protection Supervisor at the EDPS’s office in Brussels on 9 March 2016. 

A longer version of this e-news, based on the Latham & Watkins/Privacy Laws & Business Safe Harbor seminar in London on 15 October, is available on request to info@privacylaws.com with “L&W/PL&B SH seminar” in the subject line.