Oct 162015

European Data Protection Authorities Give Companies Three Months to Assess New International Data Transfer Solutions and Call “Urgently” for Safe Harbor 2.0 – Model Contracts and Binding Corporate Rules Remain Viable

Cameron F. Kerry, William RM Long and Francesca Blythe
, , ,

The Article 29 Working Party, which includes representatives from all EU Data Protection Authorities, released its much-awaited guidance on the judgment by the European Court of Justice declaring the European Commission’s decision on the Safe Harbor to be invalid. Described as “a collective and common position on the judgment,” the “first consequences to be drawn at European and national level” are as follows:

  • Transfers to the United States in reliance on the Safe Harbor after the October 6, 2015 decision are unlawful. However, the Working Party showed deference to the principle of proportionality by announcing that coordinated enforcement actions by data protection authorities against companies failing to implement appropriate data transfer solutions will not start until the end of January 2016.
  • Model Contracts and Binding Corporate Rules are still effective data transfer solutions, although the Working Party will continue its analysis of the impact of the Court ruling on these transfer tools.
  • A Safe Harbor version 2.0 is “urgently needed” providing this includes “obligations on the necessary oversight of access by public authorities, on transparency, on proportionality, on redress mechanisms and on data protection rights.”
  • Any adequacy decision (which would include decisions by DPAs under authority recognized by the Court, as well as by the Commission with respect to Safe Harbor 2.0 or otherwise) must be based on “a broad analysis of the third country domestic laws and international commitments.”  The Working Party did not mention EU surveillance laws but, interpreted alongside the “essentially equivalent” requirement in the Court of Justice judgment, such analysis would seem to require a comparative assessment of the EU domestic laws and international commitments.

It is clear that the Working Party considers time to be of the essence, both in terms of reaching an intergovernmental agreement on transatlantic data flows with a new Safe Harbor version 2.0 and for companies to assess their international transfers and implement appropriate legal and technical solutions. The short grace period puts pressure on the Safe Harbor negotiations and spurs companies to put alternative plans in place.

Sidley’s global team of privacy professionals has been monitoring these developments closely and has been actively engaged in advocacy, analysis and development of practical responses to these issues.

***********************

For more information and continuous updates, please visit our Safe Harbor Resource Page. On October 20, 2015, Sidley Austin LLP will be holding a webinar with the European Data Protection Supervisor to discuss these issues, entitled “Safe Harbor Briefing: Your Questions Answered by Giovanni Buttarelli” at 16.30 BST, 11.30 EST and 8.30 PST. Register for the webinar here.

Cameron F. Kerry

ckerry@sidley.com

William RM Long

London

wlong@sidley.com

Francesca Blythe

London

fblythe@sidley.com

You might also like
Substantial changes to Hong Kong’s privacy laws coming

In a briefing to the Legislative Council (Hong Kong’s legislative body) on February 20, 2023, the Privacy Commissioner (“the Commissioner”) announced that substantive amendments to the Personal Data (Privacy) Ordinance (“PDPO”) will take place.

It Is Now More Difficult For International Pharma To Transfer Data Out Of China

China’s new Measures for the Security Assessment of Outbound Data Transfers (the “Measures”) came into force on September 1, 2022. Pharma companies now have until February 28 to work out whether their activities mean they are affected, and to apply for the new type of data security assessment if they need it.

Unpacking Digital Data Laws Across Europe: Addressing the Digital Markets Act

The EU Digital Markets Act (DMA) is set to revolutionize the way in which so-called ‘Big Tech’ is regulated in the EU, shifting toward ex-ante rulemaking and away from traditional after-the-fact enforcement. The DMA imposes a stringent regulatory regime on large online platforms (so-called “gatekeepers”) and gives the European Commission (Commission) new enforcement powers, including an ability to impose severe fines and remedies for noncompliance.