Since the Article 29 Working Party on the Protection of Individuals (“WP29”) announced last week that it would it shortly issue a statement on the landmark CJEU ruling invalidating the Safe Harbor Decision (Schrems v. Data Protection Commissioner (C-362- 14)), we have been awaiting their guidance. Today, the WP29 issued an important statement offering some clarity to companies that, amid the fallout from the decision, have been pondering the question of “What’s next?”
The Working Party’s statement outlined the initial consequences from the decision:
The Mass Surveillance Issue: The WP29 stated that the “key element” of the Court’s analysis was the question of the U.S. government’s “massive and indiscriminate surveillance” that was incompatible with the EU privacy framework, noting that existing transfer tools were not a solution to this issue.
Political Solutions: Remarking on the absence of available remedies for EU residents to rectify instances of data misuse, the Working Party called on EU and U.S. authorities to find “political, legal and technical solutions” that would allow data transfers that comply with EU privacy rights. Such solutions would likely include, among other things, finalizing negotiations to strengthen the Safe Harbor and passage of the Judicial Redress Act that would grant EU residents a right to bring an action in U.S. courts if their data is misused in the U.S.
EU-U.S. Safe Harbor Invalidation: The WP29 made clear that transfers that are still taking place under the Safe Harbor program after the CJEU judgment last week are unlawful.
Other Mechanisms: With the invalidation of the Safe Harbor, the more than 4,500 companies that had relied on it will have to select a new mechanism for transferring data from the EU, namely, e.g., Standard Contractual Clauses and Binding Corporate Rules. The WP29 announced that while it continues its analysis on the impact of the ruling on these other tools, such methods can still be used. In any case, data protection authorities still possess the power to investigate individual complaints.
Grace Period: The WP29 stated that if no “appropriate solution” is found by the end of January 2016, and depending on its ongoing assessment of the remaining data transfer tools, EU data protection authorities may take necessary steps, which may include bringing enforcement actions.
The WP29 statement answered some important questions, yet uncertainty exists about what political or legal solutions will emerge from the current negotiations between the EU and U.S., and whether such updated mechanisms will pass muster with the CJEU or individual data protection authorities, which, as the CJEU ruled, may exercise “their functions with complete independence.”