On October 16, 2015, EU authorities gave the U.S. and European Union until the end of January 2016 to find a replacement for the former US-EU Safe Harbor regime, or enforcement actions could begin. The full statement of the EU Working Party is provided below:
Following the landmark ruling of the Court of Justice of the European Union (CJEU) of 6 October 2015 in the Maximilian Schrems v Data Protection Commissioner case (C-362- 14), the EU data protection authorities assembled in the Article 29 Working Party have discussed the first consequences to be drawn at European and national level. EU data protection authorities consider that it is absolutely essential to have a robust, collective and common position on the implementation of the judgment. Moreover, the Working Party will observe closely the developments of the pending procedures before the Irish High Court.
First, the Working Party underlines that the question of massive and indiscriminate surveillance is a key element of the Court’s analysis. It recalls that it has consistently stated that such surveillance is incompatible with the EU legal framework and that existing transfer tools are not the solution to this issue. Furthermore, as already stated, transfers to third countries where the powers of state authorities to access information go beyond what is necessary in a democratic society will not be considered as safe destinations for transfers. In this regard, the Court’s judgment requires that any adequacy decision implies a broad analysis of the third country domestic laws and international commitments.
Therefore, the Working Party is urgently calling on the Member States and the European institutions to open discussions with US authorities in order to find political, legal and technical solutions enabling data transfers to the territory of the United States that respect fundamental rights. Such solutions could be found through the negotiations of an intergovernmental agreement providing stronger guarantees to EU data subjects. The current negotiations around a new Safe Harbour could be a part of the solution. In any case, these solutions should always be assisted by clear and binding mechanisms and include at least obligations on the necessary oversight of access by public authorities, on transparency, on proportionality, on redress mechanisms and on data protection rights.
In the meantime, the Working Party will continue its analysis on the impact of the CJEU judgment on other transfer tools. During this period, data protection authorities consider that Standard Contractual Clauses and Binding Corporate Rules can still be used. In any case, this will not prevent data protection authorities to investigate particular cases, for instance on the basis of complaints, and to exercise their powers in order to protect individuals.
If by the end of January 2016, no appropriate solution is found with the US authorities and depending on the assessment of the transfer tools by the Working Party, EU data protection authorities are committed to take all necessary and appropriate actions, which may include coordinated enforcement actions.
Regarding the practical consequences of the CJEU judgment, the Working Party considers that it is clear that transfers from the European Union to the United States can no longer be framed on the basis of the European Commission adequacy decision 2000/520/EC (the so-called “Safe Harbour decision”). In any case, transfers that are still taking place under the Safe Harbour decision after the CJEU judgment are unlawful.
In order to ensure that all stakeholders are sufficiently informed, EU data protection authorities will put in place appropriate information campaigns at national level. This may include direct information to all known companies that used to rely on the Safe Harbour decision as well as general messages on the authorities’ websites.
In conclusion, the Working Party insists on the shared responsibilities between data protection authorities, EU institutions, Member States and businesses to find sustainable solutions to implement the Court’s judgment. In particular, in the context of the judgment, businesses should reflect on the eventual risks they take when transferring data and should consider putting in place any legal and technical solutions in a timely manner to mitigate those risks and respect the EU data protection acquis.
The Article 29 Working Party on the Protection of Individuals with regard to the Processing of Personal Data is an independent advisory body on data protection and privacy, set up under Article 29 of the Data Protection Directive 95/46/EC. It is composed of representatives from the national data protection authorities of the EU Member States, the European Data Protection Supervisor and the European Commission. Its tasks are described in Article 30 of Directive 95/46/EC and Article 15 of Directive 2002/58/EC. The Article 29 Working Party is competent to examine any question covering the application of the data protection directives in order to contribute to the uniform application of the directives. It carries out this task by issuing recommendations, opinions and working documents.