On October 16, 2015, the Article 29 Working Party (the “Working Party”) issued a statement on the consequences of the recent ruling of the Court of Justice of the European Union (the “CJEU”) invalidating the European Commission’s Safe Harbor Decision.
In its statement, the Working Party called upon the EU Member States and EU institutions to open discussions with U.S. authorities in order to find political, legal and technical solutions enabling transfers to the U.S. that respect EU citizens’ fundamental rights. According to the Working Party, an intergovernmental agreement providing stronger guarantees to EU data subjects and a new Safe Harbor could offer such solutions.
Importantly, the Working Party indicated that it will continue analyzing the impact of the CJEU ruling on other data transfer mechanisms, such as standard contractual clauses and Binding Corporate Rules. The Working Party confirmed that, during this period, businesses can still rely on these data transfer mechanisms to transfer personal data to the U.S. According to the statement, however, this does not exclude the possibility for national data protection authorities (“DPAs”) to investigate particular data transfers (e.g., following a complaint) and exercise their powers to protect individuals.
Furthermore, if no solution is found with the U.S. authorities by the end of January 2016, the DPAs may, depending on the outcome of the Working Party’s assessment of the other data transfer mechanisms, decide to take coordinated enforcement actions.
In any event, the Working Party states that businesses can no longer rely on the EU-U.S. Safe Harbor to transfer personal data from the EU to the U.S. To that end, the Working Party advises businesses to reflect on the eventual risks they take when transferring data and to consider putting in place any legal and technical solutions to mitigate these risks and to respect EU law. Meanwhile, national DPAs are expected to provide more information to businesses at a national level.