Tag Archive: data protection

Safe Harbor: Statement from working group of EU data protection authorities

Following the decision of the ECJ on 6 October 2015 declaring the EU-US Safe Harbor system for data transfer invalid, the Article 29 Working Group of European data protection authorities has now issued a statement setting out its views on several critical issues going forward.

The WP29 comprises all of the national Data Protection Authorities across the EU. Although the WP29’s statement it not decisive, it is influential and welcome in light of conflicting signals that had been coming from different data protection authorities, particularly in Germany. The statement addresses the steps that must be taken by the EU Institutions to resolve the concerns identified in the CJEU’s judgment, and clarifies the WP29’s position on the measures that should be implemented by Safe Harbor-certified companies in the interim.

The statement emphasizes that transfers relying on Safe Harbor are now unlawful.  The WP29 considers that, on an interim basis, the EU Standard Contractual Clauses (or Model Clauses) and Binding Corporate Rules (BCRs) can still be relied upon to legitimize transfers of EU personal data to the United States, pending negotiations over the future of the Safe Harbor arrangements. During that time, the WP29 will “continue its analysis of the impact of the CJEU judgment on other transfer tools” (including the Model Clauses and BCRs). National data protection authorities will in the meantime exercise their powers in response to complaints if necessary to protect individuals’ privacy rights.

The statement indicates that if no appropriate solution is found between the EU and the US authorities by the end of January 2016 EU data protection authorities are committed to take all necessary and appropriate actions, which may include coordinated enforcement actions.

Click here for a copy of the statement:




Permanent link to this article: https://www.dlapiperbeaware.co.uk/safe-harbor-statement-from-working-group-of-eu-data-protection-authorities/

Ground-breaking European Court Decision – US Safe Harbor declared invalid

In a ground-breaking Decision on 6 October 2015 the Court of Justice of the European Union (CJEU) declared the US Safe Harbor scheme to be invalid, as well as confirming that individuals have the right to challenge any similar schemes that may be established by the European Commission through their national data protection authorities.

This summary by Andrew Dyson and Patrick van Eecke in our Data Privacy team provides more details. More information on the implications for employment data will follow shortly.

The US Safe Harbor framework was established 15 years ago to provide a mechanism by which European businesses could validly transfer personal data from the EU to the US. The framework has been widely adopted, with over 5000 companies currently using the scheme to support the free flow of data across the Atlantic. It is commonly adopted to support data transfers needed to support intra-group operations (for example to assist a US parent in managing EU based activities) and outsourced services involving a US cloud or software-as-a-service (SAAS) provider.

The Decision of CJEU will have a significant and immediate impact for any business relying on Safe Harbor to enable these operations to date and will require a change in approach to cross-border data transfers.

Impact for businesses

We expect it will take time for the full practical implications of the decision to flow down and take effect, with national data protection authorities likely to develop their own interpretation and positions.  What is clear, however, is that Safe Harbor as it stands at the moment is not valid.

  • The decision will have an immediate impact on any organization currently relying on Safe Harbor as a basis for transferring data to the US, either intra-group or through their supply chain. Subject to any guidance issued by local supervisory authorities (see below), these arrangements are now likely to be invalid. To understand the risks and plan effectively, organizations should quickly identify any arrangements they rely on that are underpinned by Safe Harbor. A strategy can then be adopted to consider alternative arrangements to authorize continuing data transfers to the US. In many cases this may involve adoption of EC approved standard contractual clauses.
  • In the medium term, we expect to see a more fragmented approach from the 28 national supervisory authorities to future decision making around transfers of data to the US . This is likely to create greater uncertainty for any multinational business operating within Europe as regulators may feel empowered by the decision to make independent assessments on adequacy for any alternative arrangements organizations may be considering instead of Safe Harbor – potentially replaying concerns noted in the court decision about the wide scope of the Patriot Act as a basis for undermining the viability of other well established transfer routes such as the EC model clauses.
  • A more fragmented regulatory approach on cross-border issues at a time when legislators are trying their best to support a more integrated global information society will be unwelcome, adding significant cost and regulatory burden to organizations who may feel exposed and vulnerable to challenges from changing political landscapes.
  • If a European national supervisory authority has the power to investigate and suspend the transfer of the personal data in question to the US, irrespective of Safe Harbor , this will create a new and substantial obstacle for any US business looking to establish as a ‘data importing’ business model in the EU market. This could lead to a position where US companies will need establish separate consent arrangements to data sharing which may put them at a major disadvantage when building a consumer facing business model in comparison with EU based companies.
  • Although these other legal avenues exist for sharing personal data between EU companies and citizens and US companies, these solutions are often onerous and difficult to implement on a global scale. Safe Harbor functions as a kind of ‘one stop shop’, a practical solution to allow data transfers from the EU to a trusted business partner in the US – Europe risks endangering this important relationship for transatlantic economic growth.
  • Over the past two years, the EU Commission has been working and negotiating intensively with US authorities to reach a joint solution for the public concern and distrust generated by the revelations based on leaked documents from Edward Snowden back in June 2013 (which confirmed that US authorities can have access on a mass basis to personal data of individuals living in the EU). The two sides of the Atlantic are almost at the end of this extensive negotiating period but the Decision of the CJEU halts momentum to reach a safe solution and risks a swift return to square one.
  • More broadly, the Decision of the CJEU does not only have an impact on Safe Harbor but potentially opens the scope for national authorities to challenge other Decisions of the European Commission (such as, for instance, the standard contractual clauses for controller-controller or controller-processor data transfers).

For further information please email dataprivacy@dlapiper.com

Permanent link to this article: https://www.dlapiperbeaware.co.uk/ground-breaking-european-court-decision-us-safe-harbor-declared-invalid/

» Newer posts