Who: Court of Justice of the European Union (CJEU), Information Commissioners Office (ICO) and the Article 29 Working Party
Where: EU and US
When: 6 October 2015
Law stated as at: 13 October 2015
What happened:
On 6 October 2015 the CJEU handed down their judgement in Case C-362/14 Maximillian Schrems v Data Protection Commissioner, confirming that the European Commission’s decision of 26 July 2000 was invalid. The effect of the CJEU’s judgement is that the Safe Harbor scheme should no longer be assumed to provide adequate protection for the fundamental rights of EU citizens in relation to the transfer of their personal data to the US (for a more detailed analysis of the CJEU’s decision by Osborne Clarke, please click here). However, as the dust settles, EU Data Protection Authorities (“DPAs”) are beginning to issue statements and guidance on the practical effect of the CJEU’s judgement and how businesses should react.
Both the ICO and the Article 29 Working Party issued statements almost immediately after the CJEU judgement was released and both carried a similar message: this is a significant judgment which will require businesses to assess their data transfer procedures, but its recognised that it will take time for businesses to review and update those procedures.
Why this matters:
Discussions have been taking place between the Commission and the US authorities for some time regarding updates to the Safe Harbor scheme and these will no doubt be escalated following the CJEU’s judgement, however, businesses cannot simply sit back and wait for Safe Harbor 2.0 to be agreed.
The ICO’s statement reaffirms this point, urging businesses to review their US bound data transfers and ensure that they comply with the law. The question, therefore, is how to go about doing this. Businesses should be taking proactive steps to review their data transfers procedures and can start by considering what agreements they currently have in place with their US data processors and whether these are dependent upon the Safe Harbor scheme.
If the data transfers are dependent on Safe Harbor, the position will need to be reviewed. In terms of viable alternatives, however, this is not necessarily straightforward.
Comments have been made, including most recently by DPAs in Germany, that the same issues which brought Safe Harbor low may also infect both EU model contracts and Binding Corporate Rules.
As realistically this leaves just the data transferor conducting its own review of the data protection laws of the transferee country and determining that it is “adequate,” clearly now a high risk approach for transfers to the US, and the data subject’s freely given, specific and informed consent, again very difficult to achieve in the context of most transfers, the immediate prospects do not look good.
The central message from DPAs is that, although businesses must take action to review their data transfers, the authorities recognise that this may take time. The ICO and the Article 29 Working Party have also advised businesses to keep checking their respective websites for formal guidance on what to do following the CJEU decision. The ICO’s news feed can be found on their website, here, or Twitter account, here, and Article 29 Working Party updates can be found here.