Article 29 WP On the Schrems Ruling (Safe Harbor) − Latest Developments and Next Steps
The Article 29 Data Protection Working Party (“Article 29 WP”), an EU advisory body on data protection composed of representatives of the national data protection authorities (“DPAs”), the European Data Protection Supervisor and the European Commission, met in plenary on Thursday, October 15, to discuss the first consequences of the judgment of the Court of Justice of the European Union (“CJEU”) in the Schrems case (see our previous blog post here). In a press release (see here) on October 16, they emphasize that “it is absolutely essential to have a robust, collective and common position on the implementation of the judgment.” They will closely observe the pending procedures before the Irish High Court, which is expected to issue a judgment in November, now that the case has been referred back to it by the CJEU.
The key take-aways from the Article 29 WP’s press release are that:
data transfers under the European Commission’s Safe Harbor decision after the CJEU judgment are unlawful;
the Article 29 WP will analyze the impact of the CJEU judgment on other transfer tools − during this period standard contractual clauses and Binding Corporate Rules (“BCRs”) can still be used;
grace period: DPAs will take action, including coordinated enforcement action, if by the end of January 2016 no appropriate solution with the U.S. authorities is found (depending on the assessment of the other transfer tools); and
in the meantime, DPAs can investigate in particular cases and exercise their powers to protect individuals, for instance, in case of a complaint.
The EU DPAs will start information campaigns at the national level to inform all stakeholders. The Article 29 WP calls upon businesses to reflect on the risks related to data transfers and to consider putting in place legal and technical solutions in a timely manner to mitigate those risks and to respect the EU data protection acquis.
Earlier this week, on October 12, the European Parliament’s LIBE Committee held a debate to discuss the aftermath of the Schrems ruling (see our previous blog post here); the Schrems ruling also figured on the agenda of a mini-plenary of the European Parliament on October 14. On the same day, the European Commission consulted with key business stakeholders, and a follow-up meeting is expected. The European Parliament and the Commission are supposed to meet on October 26, 2015.
The negotiations on the revised Safe Harbor are continuing with high speed. The Commissioner for Justice, Consumers and Gender Equality, Věra Jourová, will be travelling to the United States in November to meet and discuss with her U.S. counterparts. However, whilst acknowledging that the current negotiations around a new Safe Harbor could be a part of the solution, the Article 29 WP is “urgently calling on the Member States and the European institutions to open discussions with US authorities in order to find political, legal and technical solutions enabling data transfers to the territory of the United States that respect fundamental rights.” They refer to an intergovernmental agreement providing stronger guarantees to EU data subjects as a possible solution.