As reported previously (see here), the Court of Justice of the European Union (CJEU) recently declared that the EU Commission’s decision on Safe Harbor is invalid because the Safe Harbor framework does not sufficiently protect the fundamental rights of EU citizens.
Irish High Court rules on Schrems
The matter recently returned before the Irish High Court to decide how the case should proceed following what the judge described as “possibly one of the most important decisions“ of the CJEU in recent years.
Arising from the CJEU decision, the Data Protection Commissioner (DPC) quashed the 2013 refusal of her office to investigate the complaint. The Court noted that “it is clear that the DPC had no jurisdiction to go behind the ‘Safe Harbor’ agreement“ at that time.
Counsel for Mr Schrems expressed concern that the complaint would be “long-fingered” by the DPC in the hope of a new Safe Harbor arrangement being agreed. However, Counsel for the DPC assured the Court that the complaint would be investigated in line with the High Court and CJEU decisions.
In a statement following the ruling, the DPC welcomed the decision and noted that her office will now “proceed to investigate the substance of the case with all due diligence”.
Safe Harbor 2.0?
In the meantime, the wait for Safe Harbor 2.0 may not be a long one. The EU Commissioner for Justice announced this week that the EU had agreed “in principle” on a new data transfer agreement with the US while discussions are ongoing to ensure that “the new arrangement lives up to the standard of the Schrems ruling”.
The two sides have been negotiating a new agreement since Edward Snowden leaked details of a US mass electronic surveillance program in 2013 and a number of meetings have taken place since the judgment with the aim of transforming the system from a purely self-regulating one. The Commissioner noted that the European Commission is not assessing the US system generally but ensuring that it offers safeguards which are “globally equivalent” to those offered in Europe. The Commissioner also noted that ensuring sufficient safeguards and limitations to prevent access to personal data on a generalised basis “is the biggest challenge in the judgment” but welcomed the reforms made by the US in this regard.
EDPS offers advice to businesses
Meanwhile, European Data Protection Commissioner Supervisor (EDPS), Giovanni Buttarelli, noted that Standard Contracts and Binding Corporate Rules (BCRs) remain solutions for the transfer of personal data to the US for the time being but warned that they cannot be conceived of as “entirely solid”.
Mr Buttarelli reaffirmed the position that companies that currently transfer data to the US must immediately cease relying on Safe Harbor to legitimise transfers. He suggested that companies should “identify interim solutions” and await guidance from national data protection authorities which he believed would issue shortly.
The Commissioner, observing that businesses need “clear explanations and a uniform interpretation of the ruling” noted that the European Commission will shortly issue an explanatory communication on the consequences of the ruling in respect of data transfers.
In the meantime, Irish businesses affected by the Safe Harbor ruling should continue to identify and implement interim solutions in respect of data transfers between the EU and US.
Contributed by John Magee.
Follow us on Twitter @WFIDEA