After the CJEU Safe Harbor decision - EU data protection authorities announce delay in enforcement action

On 6 October 2015, the Court of Justice of the European Union (CJEU) has ruled that the Safe Harbor framework is invalid. Since then, companies have waited for a reaction of EU data protection authorities (DPAs) on how to proceed with data transfers from the EU to the US. The DPAs have now made a first statement on EU level. Businesses operating in the US and in Europe should take this statement into close account when deciding on how to proceed with transatlantic data transfers.

Statement of the Article 29 Data Protection Working Party

The Article 29 Data Protection Working Party (Working Party) has now made a first statement on how EU DPAs should respond to the ECJ Judgment. The Working Party is the independent EU Advisory Body on Data Protection and Privacy. It coordinates joint EU DPA actions. The Working Party is composed of national data protection authorities, the European Data Protection Supervisor and the European Commission. The Working Party promotes the uniform application of general data protection principles in the EU through co-operation between national DPAs. The Working Party statement of 16 October 2015 underlines the need for a robust, collective and common EU position on the implementation of the judgment.

Transfers under Safe Harbor are unlawful after the CJEU judgment

The Working Party makes clear that transfers from the European Union to the United States can no longer be framed on the basis of the European Commission Safe Harbor adequacy decision 2000/520/EC. The DPAs consider transfers under the Safe Harbor decision occurring after the CJEU judgment as unlawful.

Consequences for businesses

The Working Party demands that DPAs, EU institutions, Member States and businesses find sustainable solutions to implement the CJEU judgment. Businesses should take into account the risks they take when transferring data unlawfully. Hence, the DPAs demand that companies should respect the EU data protection laws and immediately put into place legal and technical solutions to mitigate the risks of data protection law violations. Given the high degree of attention, which the decision of the CJEU has raised, corporates are well-advised to review their data transfer processes and structure in order to mitigate their exposure.

For the time being, businesses can continuous to use EU Standard Contractual Clauses and Binding Corporate Rules

While negotiations between the EU and the US regarding a new Safe Harbor agreement are still ongoing – but no longer than to the end of January 2016 – the Working Party will continue its analysis on the CJEU judgment on other transfer tools. For the time being, DPAs consider that EU Standard Contractual Clauses and Binding Corporate Rules can still be used. This rather ambiguous statement makes clear that the Working Group currently considers whether the reasoning of the CJEU judgment also indicates that other means to legitimize transfers of personal data to the US need to be suspended.

However, the Working Party emphasizes that this general course not to initiate coordinated enforcement action before February 2016 does not prevent data protection authorities from investigating individual cases even while the negotiations. On the basis of complaints, for instance, DPAs are bound exercise their supervisory and regulatory powers in order to protect individuals. This may well encompass enforcement action against businesses not in compliance with the strict requirements and standards that the CJEU has set up.

Request for further negotiations between the EU and the US

The Working Party regards disproportionate surveillance as incompatible with the EU legal framework. It does not see existing transfer tools as a solution to this issue. The Working Party does not consider third countries where the powers of state authorities to access information go beyond what is necessary as safe destinations for transfers. Any adequacy decision should imply a broad analysis of the third country domestic laws and international commitments. This statement already strongly suggests that the DPAs will also closely review the impact of the CJEU on EU Standard Contractual Clauses as well as on Binding Corporate Rules moving forward.

The Working Party calls on the EU to continue discussions with US authorities in order to find solutions enabling data transfers that respect fundamental rights. This could for instance be accomplished by an intergovernmental agreement providing stronger guarantees to EU data subjects. The current dialogue about a new Safe Harbor could be a part of this solution.

Key aspects of future data transfer agreements

The Working Party demands respective clear and binding mechanisms for any future data transfer agreement between the EU and the US. According to the DPAs, these mechanisms need to include obligations regarding the following aspects:

• oversight of access by public authorities,
• transparency,
• proportionality,
• redress mechanisms and on
• data protection rights.

Coordinated enforcement actions unlikely before February 2015

If by the end of January 2016, EU and US authorities have not found a solution regarding data transfers, depending on the assessment of the transfer tools by the Working Party, EU DPAs are committed to take all necessary and appropriate actions. According to the Working Party, this may include coordinated enforcement actions.

Next steps for businesses

Notwithstanding the ongoing negotiations regarding a new Safe Harbor agreement, businesses need to find means how to legitimize data transfers to the US. In response, Hogan Lovells has published a high-level analysis of the possible options available for companies—including the EU Standard Contractual Clauses, Intra-Group Agreements and other ad-hoc contracts, Binding Corporate Rules, Safe Harbor 2.0, and consent—and the pros and cons of choosing each one.