EU Privacy Chiefs to Assess Safe Harbor Alternatives

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Stephen Gardner

Nov. 10 — The European Union's data protection authorities will use the period up to the end of January 2016 to assess in detail whether or not alternative mechanisms for data transfer from the EU to the U.S. remain valid, an Article 29 Working Party official said Nov. 10.

At a meeting of the European Parliament's Civil Liberties, Justice and Home Affairs Committee (LIBE), Florence Raynal, head of European and international affairs for France's data protection authority—the Commission Nationale de l'Informatique et des Libertés (CNIL)—said that EU data protection authorities had started an evaluation of the impact of the invalidation of Safe Harbor on standard contractual clauses, binding corporate rules and other grounds for data transfers, such as data subject consent.

The Art. 29 Working Party, which is currently chaired by CNIL, will stage a Nov. 29 hearing on transfers to the U.S., Raynal said, though she didn't give details of where the hearing would take place.

The European Court of Justice invalidated the U.S.-EU Safe Harbor Oct. 6, saying that the self-certification framework, which was used by about 4,400 U.S. companies as a legal basis for their transfers of data out of the European Economic Area, wasn't in line with EU privacy rights because of the possibility that the data of EU citizens might be accessed as part of U.S. government surveillance programs, and because it offered insufficient redress in case of data protection breaches.

Standard Contractual Clauses

Raynal said that the Art. 29 Working Party would look in particular at standard contractual clauses, which are defined by the European Commission, and can be written into contracts between EU data exporters and U.S. data importers.

Standard contractual clauses have been highlighted by the commission as the main fallback for companies affected by the invalidation of Safe Harbor.

The commission decision establishing the standard contractual clauses “provides for the possibility for the authorities to prohibit transfers” in case laws in the destination country require data importers to derogate from data protection law to an extent that goes beyond what is considered reasonable in a democratic society, Raynal said.

The aim of the working party's evaluation of standard contractual clauses would be to “define which derogations are acceptable in a democratic society,” Raynal said.

January 2016 Deadline

Raynal also said that the Art. 29 Working Party needed “to take a stance” on other possible legal grounds under which data could be transferred from the European Economic Area to the U.S., such as data subject consent.

“We need to specify when it is possible to use” mechanisms such as consent, Raynal said.

In the wake of the ECJ's Oct. 6 invalidation of Safe Harbor, the Art. 29 Working Party said Oct. 16 that it would start to enforce the court's decision at the end of January 2016, unless a replacement mechanism for Safe Harbor had been agreed by EU and U.S. negotiators.

Raynal said that if there was no agreement by the end of January, and if the Art. 29 evaluation showed problems with other transfer mechanisms, such as standard contractual clauses, EU DPAs would “take appropriate measures.”

Privacy Group Criticized

Axel Voss, a German center-right LIBE lawmaker, said that the Art. 29 Working Party's evaluation of other EU-U.S. data transfer mechanisms went further than allowed by the ECJ judgment. Part of that judgment said that only the ECJ was competent to invalidate European Commission decisions, such as Safe Harbor and decisions establishing standard contractual clauses.

It was “quite frightening that we're going beyond the judgment itself and talking about reviewing a series of matters,” when the ECJ had “not questioned” other data transfer “instruments already embedded in legislation,” Voss said.

Voss criticized German DPAs, which on Oct. 26 issued a statement questioning the validity of standard contractual clauses for data transfers to the U.S. “Throwing all the instruments that we have overboard is going much too far,” Voss said.

Raynal said that “we realize the impact in economic terms,” but “we have to assess if those instruments give us adequate guarantees” of data protection for EU citizens.

To contact the reporter on this story: Stephen Gardner in Brussels at

To contact the editor responsible for this story: Jimmy H. Koo at