Views on Privacy Enforcement, EU Data Transfer After Safe Harbor From Jacob Kohnstamm, Chairman of the Dutch Data Protection Authority

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

Dutch Data Protection Authority Chairman Jacob Kohnstamm told Bloomberg BNA that the Article 29 Working Party of European Union data protection officials would re-convene in November to adopt an enforcement strategy regarding the invalidated U.S.-EU Safe Harbor Program.

Kohnstamm, who is a former chairman of the Working Party tells Bloomberg BNA Brussels correspondent Stephen Gardner that companies should “prepare for the worst,” including a possible ban on data transfers from the EU to the U.S. unless a company has a basis other than Safe Harbor. He also warns that companies face continued uncertainty because of differences between EU DPAs, and because other transfer mechanisms, such as standard contractual clauses approved by the European Commission, are vulnerable to challenge.

Bloomberg BNA:

What will happen in terms of enforcement of the ECJ ruling invalidating Safe Harbor if we get to the end of January 2016 and there is still no political agreement between the EU and the U.S. on a replacement framework for Safe Harbor?

Jacob Kohnstamm:

I have been in politics for 25 years and the first lesson I got was never, ever answer “what if?” questions, because you are then tied to the answer and you don't know exactly what the situation will be.

I was recently in discussion with some people from business and they said if in January there is no political solution, the Article 29 Working Party should give guidance about what business needs to do. The question is to the business community: what if?

We have a problem as regulators. The ECJ said DPAs have power and should have acted much earlier; data protection is your business—do it! We are going to enforce because the European supreme court has told us to do so. So please, the government in the U.S. and the European Commission and if need be the privacy community, help us out.

We all have problems. The governments face problems and the regulators also face problems, and the only power [the DPAs] have in the end is saying no.

Looking for solutions, the first [to act should be] the governments—the European Commission and the U.S. government—and the second is business itself to find a solution. If they can't find a solution, the only way we can act is by enforcing and so [there will be] no data transfer under Safe Harbor to the U.S. We're law-abiding types.

Bloomberg BNA:

Does the Dutch DPA have a contingency plan of what enforcement action will be taken if there is no top-level agreement by the end of January?


Not yet. Honest answer. On Oct. 6 [when the ECJ ruling was handed down] the Dutch DPA was pretty much involved in organizing the conference.

We first were involved in getting the Art. 29 Working Party to accept what I would call a terme de grace [grace period] until the end of January. I'm very happy that this decision was taken—you've seen the communiqué from the chair of the Working Party. That was the first step and it was an important one.

We'll have a meeting at the end of November with the Working Party to see if we can have a collective contingency plan: what are we going to do, how are we going to do it, what do we need to do that.

We'll have a meeting at the end of November with the Working Party to see if we can have a collective contingency plan: what are we going to do, how are we going to do it, what do we need to do that.

But it's not yet there and in fact I'm afraid that, given the ECJ ruling, the business community must be prepared for the worst – no personal data from Europe to the U.S. if based on Safe Harbor.

I personally—and this is not yet the conclusion of the Working Party—[think that] if you seriously look at the ECJ ruling and take on board binding corporate rules and standard contractual clauses, honestly speaking I think you can't come to another conclusion than saying they in the end will be declared invalid as well.

If data through Safe Harbor or personal data through standard contractual clauses or BCRs goes to the U.S., and the National Security Agency has all the rights in the world to get their hands on that data, no one can explain me why then in the end the European court wouldn't declare it invalid as well.

There's not yet agreement on that point within the Working Party, by the way.

Bloomberg BNA:

Can the Art. 29 Working Party hold to a common line on enforcement of the ECJ decision, considering differing views of some members? German federal state DPAs, for example, have said they do not approve of alternative bases for transfers.


[The Art. 29 Working Party has] 28 members plus one member with 16 Länder [German federal states] DPAs, and in the midst [of the Länder] a lack of leadership. [Berlin data protection commissioner] Alexander Dix was chairing the meeting of Länder and was also trying to get some sort of agreement between the Länder and the federal DPA. He resigned from that post because he was at the end of his term. They didn't find a successor, and the law says that he needs to say in his post as long as there's no successor.

There have been until now a couple of DPAs that were pretty much leading in terms of influence in the Working Party. Germany was one of them and they're losing ground.

Bloomberg BNA:

Is the ECJ ruling invalidating Safe Harbor in effect a data localization requirement for companies operating in the EU, if it also puts other bases for transfers to the U.S. at risk?


I don't think so. A very important part of the ruling says that making a declaration of invalidity remains only a right of the ECJ. We can discuss and can maybe have different approaches within the DPAs, but in the end its the ECJ that rules the waves, and that's a good thing.

Bloomberg BNA:

That means in the end it might take two years, for example, for the European Commission decision on standard contractual clauses to be invalidated, should it be challenged?


Yes it will, but for companies [the situation could be] complicated if one of the Länder or one of the DPAs takes one or two companies to court and says this doesn't work and we need a decision of the ECJ.

Of course business is always interested in knowing what the legal situation is. It might take another two years and that might be pretty disastrous for business, and maybe also in the end for support for privacy if we cause too much uncertainty.