EU Data Protection Authorities Provide Guidance on EU-U.S. Data Transfers

The Article 29 Working Party (Art. 29 WP), comprising each European Union member state's data protection authorities and representatives from the European Commission, has now provided U.S. companies with guidance on the practical implications of the October 6 European Union Court of Justice (ECJ) Safe Harbor decision. The October 6 ECJ decision invalidated the U.S.-EU Safe Harbor and created not only widespread uncertainty about the fate of the 4,400 companies that relied on Safe Harbor for their EU-U.S. data transfers, but also doubt about the continued "adequacy" of the most obvious alternatives: Standard Contractual Clauses and Binding Corporate Rules. The European regulators have now spoken with one voice to provide the following five takeaways:

1. The U.S.-EU Safe Harbor is no longer a valid basis for EU-U.S. data transfers, and companies must find alternative solutions;
2. Standard Contractual Clauses and Binding Corporate Rules can still be used, at least for the time being;
3. Individual member state data protection authorities may investigate specific data transfers, for instance on the basis of complaints against particular companies;
4. The data protection authorities expect the U.S. and EU to develop solutions to deal with the "massive and indiscriminate surveillance" in the U.S. and to provide an "adequate" framework by the end of January 2016; and
5. If no solution is found by the end of January 2016, then "EU data protection authorities are committed to take all necessary and appropriate actions, which may include coordinated enforcement actions."

The Art. 29 WP encouraged member states and other European institutions to open discussions with the U.S. to find political, legal and technical solutions to enable data transfers to the U.S. while respecting fundamental rights. In particular, the Art. 29 WP sees some possibility that intergovernmental agreements could provide stronger guarantees to EU data subjects, perhaps in conjunction with the renegotiated Safe Harbor.

Between now and January 2016, the Art. 29 WP has also committed to analyze the impact of the ECJ Safe Harbor decision on the other transfer mechanisms, including Standard Contractual Clauses and Binding Corporate Rules.

Other Opinions on the ECJ Safe Harbor Decision

Unfortunately, some regulators have already been more outspoken about their distaste for all existing mechanisms for transferring data to the U.S., including Standard Contractual Clauses and Binding Corporate Rules. On October 14, the data protection authority in the German state of Schleswig-Holstein (Unabhängiges Landeszentrum für Datenschutz) issued a position paper on the ECJ Safe Harbor decision. Though the position paper does not invalidate any other transfer mechanisms, it argues that any transfers to the U.S. are de facto invalid and that a fundamental change in U.S. law to protect the fundamental privacy rights of EU citizens is required. It is worth noting that this particular German state may be among the first to aggressively exercise its investigative authority upon further consideration or upon any citizen complaints.

The EU Parliament committee charged with matters related to data protection called on the European Commission to take action before the end of 2015 on the Safe Harbor renegotiations and to reevaluate the adequacy of the other data transfer mechanisms.

One thing is certain: companies should move to alternative data transfer mechanisms, and they should hope that the EU and U.S. can hammer out their differences by the end of January 2016. Otherwise, the current EU position could lead to even more dramatic and coordinated prohibitions of the critical data transfers that are the lifeblood of our U.S.-EU trade relationship.