Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...
Oct. 16 — U.S. companies seeking viable mechanisms for data transfers out of the European Union after the invalidation of the U.S.-EU Safe Harbor framework, were offered little reassurance by EU data protection authorities in an Oct. 16 official statement.
In their first substantive joint response to the European Court of Justice's ruling killing Safe Harbor, the Article 29 Working Party of EU data protection officials from 28 EU member states affirmed that any transfers being made to the U.S. on the basis of Safe Harbor were unlawful, and that they reserved the right to investigate any privacy complaints that arose in relation to transfers.
In addition, unless the European Commission, the EU's executive arm, and U.S. authorities agree on a framework to replace Safe Harbor by the end of January 2016, DPAs will consider taking “coordinated enforcement actions” against companies unlawfully transferring data, according to the statement issued after an extraordinary plenary meeting convened to discuss the Oct. 6 invalidation of Safe Harbor by the ECJ.
Jörg Hladjk, counsel with Hunton & Williams LLP in Brussels, told Bloomberg BNA Oct. 16 that by setting a January 2016 deadline after which coordinated enforcement could start, “the DPAs have put huge pressure on the Commission and the U.S. Government to find a solution quickly.”
The statement added that the Working Party considered that alternatives to Safe Harbor, such as model contacts or binding corporate rules, “can still be used,” but added that individual DPAs could nevertheless investigate transfers made using these mechanisms, if it was deemed necessary for them to “exercise their powers in order to protect individuals.”
Following the invalidation of Safe Harbor, companies should “reflect on the eventual risks they take when transferring data and should consider putting in place any legal and technical solutions in a timely manner to mitigate those risks,” the Art. 29 Working Party statement said.
Brian Hengesbaugh, a partner with Baker & McKenzie LLP in Chicago, told Bloomberg BNA Oct. 16 that the Working Party had offered some comfort to U.S. companies left exposed by the invalidation of Safe Harbor because it had “endorsed standard clauses, binding corporate rules, and other alternatives, at least with respect to a transition period until the end of January 2016.”
Over 4,400 U.S. companies had been allowed to transfer EU citizens' data to the U.S. because they self-certified to the U.S. Department of Commerce their compliance with privacy principles similar to those contained in the EU Data Protection Directive (95/46/EC).
The ECJ held, however, that the U.S.-EU Safe Harbor Program failed to adequately protect the privacy rights of EU citizens as laid down in the EU Charter of Fundamental Rights and expressed in the Data Protection Directive, against U.S. government surveillance of personal data transferred by companies.
The Art. 29 statement said that EU DPAs had “consistently stated that such surveillance is incompatible with the EU legal framework and that existing transfer tools are not the solution to this issue.”
The EU and U.S. would need to find “political, legal and technical solutions enabling data transfers to the territory of the United States that respect fundamental rights,” and this could include “an intergovernmental agreement providing stronger guarantees to EU data subjects,” the Art. 29 Working Party statement said.
The European Commission, the EU's executive arm, has said it will continue to pursue negotiations with the U.S. on an upgraded version of Safe Harbor that were already underway when the ECJ invalidated Safe Harbor. However, the Art. 29 Working Party statement said only that these discussions might be “a part of the solution.”
Hengesbaugh said that it was surprising that the Art. 29 statement “expressly noted that transfers to Safe Harbor companies are illegal,” because this could “narrow the scope” for EU DPAs to “make those determinations on a case-by-case basis,” and to take into account if companies transferring data were exposed to demands by U.S. law enforcement agencies.
The Belgian Privacy Commission, in a statement issued Oct. 16 to coincide with the Art. 29 statement, said it “particularly welcomed” that the ECJ ruling invalidating Safe Harbor “clearly demonstrates that the intervention of independent national supervisors is important when there are conflicts regarding privacy.”
Some EU data protection authorities, boosted by the ECJ ruling, have said they could investigate any transfers to the U.S. to test the adequacy of their data protection safeguards. For example, the DPA from the German state of Schleswig-Holstein said Oct. 14 that effected companies should “consider alternatives to the processing of personal data in the United States,” rather than rely on transfer arrangements previously considered adequate.
To contact the reporter on this story: Stephen Gardner in Brussels at email@example.com
To contact the editor on this story: Donald G. Aplin at firstname.lastname@example.org
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to email@example.com.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to firstname.lastname@example.org.
Put me on standing order
Notify me when new releases are available (no standing order will be created)