The Article 29 Working Party, which includes representatives from all EU Data Protection Authorities, released its much-awaited guidance on the judgment by the European Court of Justice declaring the European Commission’s decision on the Safe Harbor to be invalid. Described as “a collective and common position on the judgment,” the “first consequences to be drawn at European and national level” are as follows:
- Transfers to the United States in reliance on the Safe Harbor after the October 6, 2015 decision are unlawful. However, the Working Party showed deference to the principle of proportionality by announcing that coordinated enforcement actions by data protection authorities against companies failing to implement appropriate data transfer solutions will not start until the end of January 2016.
- Model Contracts and Binding Corporate Rules are still effective data transfer solutions, although the Working Party will continue its analysis of the impact of the Court ruling on these transfer tools.
- A Safe Harbor version 2.0 is “urgently needed” providing this includes “obligations on the necessary oversight of access by public authorities, on transparency, on proportionality, on redress mechanisms and on data protection rights.”
- Any adequacy decision (which would include decisions by DPAs under authority recognized by the Court, as well as by the Commission with respect to Safe Harbor 2.0 or otherwise) must be based on “a broad analysis of the third country domestic laws and international commitments.” The Working Party did not mention EU surveillance laws but, interpreted alongside the “essentially equivalent” requirement in the Court of Justice judgment, such analysis would seem to require a comparative assessment of the EU domestic laws and international commitments.
It is clear that the Working Party considers time to be of the essence, both in terms of reaching an intergovernmental agreement on transatlantic data flows with a new Safe Harbor version 2.0 and for companies to assess their international transfers and implement appropriate legal and technical solutions. The short grace period puts pressure on the Safe Harbor negotiations and spurs companies to put alternative plans in place.
Sidley’s global team of privacy professionals has been monitoring these developments closely and has been actively engaged in advocacy, analysis and development of practical responses to these issues.
For more information and continuous updates, please visit our Safe Harbor Resource Page. On October 20, 2015, Sidley Austin LLP will be holding a webinar with the European Data Protection Supervisor to discuss these issues, entitled “Safe Harbor Briefing: Your Questions Answered by Giovanni Buttarelli” at 16.30 BST, 11.30 EST and 8.30 PST. Register for the webinar here.