Article 29 WP Says Safe Harbor Transfers Illegal; Model Clauses and BCRs Under Review
The Article 29 Working Party (WP) issued a press release on October 16, 2015 announcing the outcome of the meeting to discuss coordinated action after the Court of Justice of the European Union (ECJ) decision in the matter of Schrems v. Data Protection Commissioner (C-362-14), which invalidated the U.S.-EU Safe Harbor Agreement. While calling for a coordinated position and urging Member States to urgently open negotiations with the U.S. to address “indiscriminate surveillance,” the WP stated: “transfers that are still taking place under the Safe Harbour decision after the [ECJ] judgment are unlawful” (boldface in original). The WP expressed the view that standard contractual clauses and binding corporate rules (BCRs) can still be used, but said that “this will not prevent data protection authorities to investigate particular cases, for instance on the basis of complaints, and to exercise their powers in order to protect individuals” (boldface in original).
The WP further expressed the position that if negotiations with the U.S. are not successful by the end of January 2016, or if the assessment of transfer tools does not yield results deemed to be privacy protective, then EU data protection authorities would be prepared to take actions up to and including coordinated enforcement. In this increasingly complex landscape, companies need to continue to quickly assess data transfer options.