As a reminder, on 6 October 2015, the European Union Court of Justice (the “ECJ”) declared the Safe Harbour decision invalid (see our previous newsletter on this subject).
Following this ruling, the Article 29 Working Party (the “Working Party”), composed of representatives of the EU data protection authorities (“DPAs”), the European Data Protection Supervisor and the European Commission, analysed the initial consequences to be drawn at a European and national level and issued a common statement on 16 October 2015.
The Working Party considered that it is absolutely essential to have a robust, collective and common position on the implementation of the ruling.
The Working Party urgently called on the Member States and the European Institutions to open discussions with the U.S. authorities in order to find political, legal and technical solutions enabling data transfers to the U.S. that respect fundamental rights. The Working Party believed that the current negotiations around a new Safe Harbour decision could be a part of the solution.
In the meantime, the Working Party confirmed that transfers from the EU to the U.S. can no longer be based on the Safe Harbour decision, and that any data transfers still taking place under the Safe Harbour decision after the ECJ ruling are unlawful.
Consequently, EU companies which currently rely on the Safe Harbour decision in order to transfer personal data to the U.S. must suspend such transfers and consider other legal bases for making them, such as (i) data transfer agreements based on EC approved Standard Contractual Clauses, or (ii) Binding Corporate rules.
The Working Party indicated that it will continue its analysis on the impact of the ECJ ruling on these other transfer tools, but that during this period, Standard Contractual Clauses and Binding Corporate Rules can still be used. In the view of the Working Party, this will not, however, prevent national DPAs from investigating particular cases, for instance on the basis of complaints. If, by the end of January 2016, no appropriate solution is found with the U.S. authorities, EU DPAs are committed to take all necessary and appropriate action, which may include coordinated enforcement action.
We would be happy to help you assess the lawfulness of your data transfers and/or to implement any necessary compliance action.