EU Privacy Chiefs Offer Little Help on Safe Harbor

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Stephen Gardner

Oct. 16 — U.S. companies seeking viable mechanisms for data transfers out of the European Union after the invalidation of the U.S.-EU Safe Harbor framework, were offered little reassurance by EU data protection authorities in an Oct. 16 official statement.

In their first substantive joint response to the European Court of Justice's ruling killing Safe Harbor, the Article 29 Working Party of EU data protection officials from 28 EU member states affirmed that any transfers being made to the U.S. on the basis of Safe Harbor were unlawful, and that they reserved the right to investigate any privacy complaints that arose in relation to transfers.

In addition, unless the European Commission, the EU's executive arm, and U.S. authorities agree on a framework to replace Safe Harbor by the end of January 2016, DPAs will consider taking “coordinated enforcement actions” against companies unlawfully transferring data, according to the statement issued after an extraordinary plenary meeting convened to discuss the Oct. 6 invalidation of Safe Harbor by the ECJ.

Jörg Hladjk, counsel with Hunton & Williams LLP in Brussels, told Bloomberg BNA Oct. 16 that by setting a January 2016 deadline after which coordinated enforcement could start, “the DPAs have put huge pressure on the Commission and the U.S. Government to find a solution quickly.”

The statement added that the Working Party considered that alternatives to Safe Harbor, such as model contacts or binding corporate rules, “can still be used,” but added that individual DPAs could nevertheless investigate transfers made using these mechanisms, if it was deemed necessary for them to “exercise their powers in order to protect individuals.”

Following the invalidation of Safe Harbor, companies should “reflect on the eventual risks they take when transferring data and should consider putting in place any legal and technical solutions in a timely manner to mitigate those risks,” the Art. 29 Working Party statement said.

Brian Hengesbaugh, a partner with Baker & McKenzie LLP in Chicago, told Bloomberg BNA Oct. 16 that the Working Party had offered some comfort to U.S. companies left exposed by the invalidation of Safe Harbor because it had “endorsed standard clauses, binding corporate rules, and other alternatives, at least with respect to a transition period until the end of January 2016.”

Hard Line on Road Ahead 

Over 4,400 U.S. companies had been allowed to transfer EU citizens' data to the U.S. because they self-certified to the U.S. Department of Commerce their compliance with privacy principles similar to those contained in the EU Data Protection Directive (95/46/EC).

The ECJ held, however, that the U.S.-EU Safe Harbor Program failed to adequately protect the privacy rights of EU citizens as laid down in the EU Charter of Fundamental Rights and expressed in the Data Protection Directive, against U.S. government surveillance of personal data transferred by companies.

The Art. 29 statement said that EU DPAs had “consistently stated that such surveillance is incompatible with the EU legal framework and that existing transfer tools are not the solution to this issue.”

The EU and U.S. would need to find “political, legal and technical solutions enabling data transfers to the territory of the United States that respect fundamental rights,” and this could include “an intergovernmental agreement providing stronger guarantees to EU data subjects,” the Art. 29 Working Party statement said.

The European Commission, the EU's executive arm, has said it will continue to pursue negotiations with the U.S. on an upgraded version of Safe Harbor that were already underway when the ECJ invalidated Safe Harbor. However, the Art. 29 Working Party statement said only that these discussions might be “a part of the solution.”

Enforcement Actions?

Hengesbaugh said that it was surprising that the Art. 29 statement “expressly noted that transfers to Safe Harbor companies are illegal,” because this could “narrow the scope” for EU DPAs to “make those determinations on a case-by-case basis,” and to take into account if companies transferring data were exposed to demands by U.S. law enforcement agencies.

The Belgian Privacy Commission, in a statement issued Oct. 16 to coincide with the Art. 29 statement, said it “particularly welcomed” that the ECJ ruling invalidating Safe Harbor “clearly demonstrates that the intervention of independent national supervisors is important when there are conflicts regarding privacy.”

Some EU data protection authorities, boosted by the ECJ ruling, have said they could investigate any transfers to the U.S. to test the adequacy of their data protection safeguards. For example, the DPA from the German state of Schleswig-Holstein said Oct. 14 that effected companies should “consider alternatives to the processing of personal data in the United States,” rather than rely on transfer arrangements previously considered adequate.

To contact the reporter on this story: Stephen Gardner in Brussels at

To contact the editor on this story: Donald G. Aplin at