Home Knowledge Working Party Publishes Statement on Schrems

Working Party Publishes Statement on Schrems

October 19, 2015

As reported earlier (see here), the Court of Justice of the European Union (CJEU) has declared that the EU Commission’s decision on Safe Harbor is invalid because Safe Harbor does not sufficiently protect the fundamental rights of EU citizens.

Following the landmark ruling, a statement has now been issued by the Article 29 Working Party (the “Working Party”), a group consisting of representatives from the data protection supervisory authorities of each Member State along with representatives from the office of the European Data Protection Supervisor and the European Commission.

In its statement, the Working Party urgently calls upon Member States and the European institutions to open discussions with US authorities “in order to find political, legal and technical solutions” enabling data transfers to the US while protecting the fundamental rights of EU citizens.

The Working Party makes it clear that transfers still taking place under the Safe Harbor decision are unlawful.  For the time being, the Working Party considers the alterative options legitimising transfers to the US including Model Contracts and Binding Corporate Rules (BCRs) can be used, however it notes that it “will continue its analysis on the impact of the CJEU judgment” on these alternative transfer tools.

Most strikingly, the Working Party notes that if, by the end of January 2016, no appropriate alternative solution has been agreed upon with the US authorities and depending upon the assessment by the Working Party of the alternative transfer tools, “EU data protection authorities are committed to take all necessary and appropriate actions, which may include coordinated enforcement actions.”

The Working Party concludes that responsibility for finding sustainable solutions in light of the CJEU judgment is one which is shared amongst all stakeholders including each data protection authority, the EU institutions, individual Member States and businesses. It notes that “in particular, businesses should reflect on the eventual risks they take when transferring data and should consider putting in place any legal and technical solutions in a timely manner to mitigate those risks.”

In light of the Working Party’s statement, it appears that Model Contracts and Binding Corporate Rules are currently valid mechanisms for transfer of personal data to the US and may be considered so by such grouping until 31 January 2016.  However, the position is generally in a state of flux requiring all data controllers who transfer personal data to the US to constantly review and reflect on their processes and procedures, and the position of the data protection authorities on such transfer mechanisms.

It is understood that, at the time of publishing this Data Protection Day Update, US and EU officials are due to meet in February 2016. 

Follow us on Twitter @WFIDEA

Contributed by: Leo Moore