EU Parliament Committee calls on the Commission for immediate action on US data transfers
The EU Parliament committee that is charged with considering data protection matters (LIBE) has issued a press release calling on the European Commission to take action before the end of 2015 to come up with alternatives to Safe Harbor. Importantly, LIBE has also called on the Commission to reassess whether the European Court of Justice’s recent invalidation of Safe Harbor casts doubt on other means for legitimizing the transfer of personal data from the EEA to the US.
As I’ve commented previously, the ECJ’s rationale in the Schrems Safe Harbor decision could be used to attack both BCRs and Model Clauses. LIBE certainly seems to have picked up on that also.
Here’s an excerpt from LIBE’s press release:
MEPs welcome the 6 October ruling by the European Court of Justice (ECJ) in the Schrems case, invalidating the Commission’s decision that Safe Harbour provides sufficient protection for the data of EU citizens when it is transferred to the US, thus vindicating Parliament’s long-standing concerns about the agreement. The Commission must immediately take the necessary measures “to ensure an effective level of protection” equivalent to the protection ensured in the EU, they say.
They protest that Parliament has received no formal feedback from the Commission regarding the implementation of the 13 recommendations for a “safer” Safe Harbour, and stress that “it is now urgent that the Commission provide a thorough update on the negotiations thus far and the impact of the judgement on the further negotiations.”
They also invite the Commission to reflect “immediately” on alternatives to Safe Harbour and on the “impact of the judgement” on any other instruments used for the transfer of personal data to the US and report on it by the end of 2015.
The full press release is available here.
As always, we need to try to chart a course of action to comply as best as possible with what seems to be an increasingly unstable legal landscape in Europe. So I will conclude by saying that model clauses, BCRs and consent are still available means of legitimizing data transfers from the EEA to the US. For now, and until we get decisions to the contrary by national or regional Data Protection Authorities, courts, the ECJ or the Commission – or until these means are eliminated or restricted by the new Data Protection Regulation, which is still under negotiation.
On a personal note, as someone who lives in the United Kingdom, I will say that if the new Regulation, a DPA or a court says that I will no longer have the right to consent to the transfer of my personal data to the US because I couldn’t possibly appreciate the grave threat to my privacy rights and shouldn’t be allowed to “bargain away” a fundamental right, and I lose access to Facebook or Google as a result, I will be mightily displeased. And it’s possible that I won’t be the only EEA resident who feels that way.
Disclaimer: The views expressed above are my own and should not be attributed to Mintz Levin.