July 3, 2022

Volume XII, Number 184

Advertisement
Advertisement

July 01, 2022

Subscribe to Latest Legal News and Analysis

June 30, 2022

Subscribe to Latest Legal News and Analysis

Article 29 Working Party Issues Statement On Next Steps For Safe Harbor

Following the EU Court of Justice (CJEU) ruling in the Schrems case the Article 29 Working Party (WP29) has issued a statement setting out its views on several critical issues going forward.

The WP29 comprises all of the national Data Protection Authorities across the EU. Although the WP29’s statement it not decisive, it is influential and welcome in light of conflicting signals that had been coming from different data protection authorities. The statement addresses the steps that must be taken by the EU Institutions to resolve the concerns identified in the CJEU’s judgment, and clarifies the WP29’s position on the measures that should be implemented by Safe Harbor-certified companies in the interim.

The statement emphasizes that transfers relying on Safe Harbor are now unlawful.  The WP29 considers that, on an interim basis, the EU Standard Contractual Clauses (or Model Clauses) and Binding Corporate Rules (BRCs) can still be relied upon to legitimize transfers of EU personal data to the United States, pending negotiations over the future of the Safe Harbor arrangements. During that time, the WP29 will “continue its analysis of the impact of the CJEU judgment on other transfer tools” (including the Model Clauses and BCRs). Furthermore, national data protection authorities will in the meantime exercise their powers in response to complaints if necessary to protect individuals’ privacy rights.

The statement indicates that if no appropriate solution is found between the EU and the US authorities by the end of January 2016,

EU data protection authorities are committed to take all necessary and appropriate actions, which may include coordinated enforcement actions.

In the meantime, the authorities will put in place appropriate national information campaigns to ensure that all stakeholders are sufficiently informed, and this may include contacting all known companies that previously relied on Safe Harbor.

The ramifications for companies that transfer personal data from the EU to the US, whether intra-Group or to third parties, are as follows:

  • If your business is Safe Harbor-certified or if it transfers EU personal data to a US company using Safe Harbor, you will need to consider adopting alternative solutions immediately. These may include, for example, the Model Clauses or BCRs.

  • If your company transfers EU personal data to the US using the Model Clauses or BCRs, you should be aware that these mechanisms may also be found to raise many of the same concerns that caused the CJEU to invalidate the Safe Harbor program; however, for the time being, the WP29 Statement would appear to mitigate the compliance risks arising from reliance on these measures.

  • Businesses should take stock of their data protection and data transfer practices in order to ensure that their practices conform to the commitments that they undertake pursuant to the Model Clauses or BCRs, and should consider ways of addressing compliance risks if the January 2016 deadline for concluding the Safe Harbor negotiations is not met.

© Copyright 2022 Squire Patton Boggs (US) LLPNational Law Review, Volume V, Number 291
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Anthony Van der Hauwaert, Squire Patton Boggs, Finance Transactions
Partner

Anthony Van der Hauwaert heads the Belgian practice of Squire Patton Boggs, and concentrates on corporate and finance transactions, with particular experience in cross-border and domestic mergers and acquisitions, private equity and project finance transactions. Anthony has also significant commercial real estate and employment law expertise. 

322 627 11 20
Stephanie Faber International Business Attorney Squire Patton Boggs Paris, France
Of Counsel

Stephanie Faber heads the Data Privacy & Cybersecurity Practice and the Intellectual Property & Technology Practice in the Paris office. She specialises in international business law, with more than 20 years of experience. Her legal practice encompasses business transactions and operations, as well regulatory and compliance work.

In relation to the Data Privacy & Cybersecurity Practice, Stephanie advises on:

  • GDPR gap assessment and compliance programs
  • Data breach management and notification
  • Database creation, international...
33 1-5383-7400
Dr. Annette Demmel Data Privacy & Cybersecurity Attorney Squire Patton Boggs Berlin, Germany
Partner

Dr. Annette Demmel is a partner in our Data Privacy & Cybersecurity Practice Group in Berlin. For 20 years, Annette has advised national and international businesses in privacy law, technology law, telecommunications law, intellectual property law, media law and competition law.

In particular, she leads the implementation of privacy compliance programs and centralized software systems, and provides advice on policy and regulatory issues arising in the electronic communications and internet sectors. Annette also advises clients on legal issues relating to profiling and online...

49 30-72616-8226
Fernando González Intellectual Property Attorney Squire Patton Boggs Madrid, Spain
Partner

Fernando González leads the dispute resolution and intellectual property (IP) team in Madrid. Fernando has more than 25 years of litigation experience in commercial and IP law. He represents clients around the world in international arbitration proceedings. He also has experience in the areas of fraud and insolvency.

Fernando is listed as the Spanish representative of Fraudnet, a network of lawyers integrated in the International Chamber of Commerce. He is a member of the board of a renowned American university in Spain. He has also served on IBA and INTA committees.

He is...

34 91-426-4843
Advertisement
Advertisement
Advertisement