Yesterday, the EU data protection authorities (hereafter DPAs) assembled in the Article 29 Working Party made a first statement on the ECJ decision on the Safe Harbour agreement and defined the further steps to be taken by data protection authorities.
Here the main points of the statement:
- DPAs urge Member States and the European institutions to make a new intergovernmental agreement between EU and US. Nevertheless, this time, the agreement should provide adequate solutions in terms of data protection, which should be assisted “by clear and binding mechanisms and include at least obligations on the necessary oversight of access by public authorities, on transparency, on proportionality, on redress mechanisms and on data protection rights”.
- The Article 29 Working Party will continue the analysis of the impact of the ECJ judgment on the other transfer tools (i.e. Standard Contractual Clauses e Binding Corporate Rules), which can still be used by companies, until the definition of the new legal framework.
- In any case, DPAs will be able to investigate particular cases of trans-border data flows that are based on the transfer tools mentioned above.
- Ultimatum: “If by the end e end of January 2016, no appropriate solution is found with the US authorities and depending on the assessment of the transfer tools by the Working Party, EU data protection authorities are committed to take all necessary and appropriate actions, which may include coordinated enforcement actions”.
DPAs clearly point out that, after the ECJ judgment, data transfers that are still taking place under the Safe Harbour decision are unlawful. In this light, the authorities will make an adequate communication campaign to ensure that all stakeholders are sufficiently informed on the effects of the ECJ decision.
A brief comment to the statement
First, European DPAs urge EU and US authorities to make a new and fair agreement for data transfer between the two sides of the Atlantic.
Second, companies should move from Safe Harbour system to different transfer tools, which are based on contractual agreements or co-regulation (i.e. Standard Contractual Clauses e Binding Corporate Rules).
Finally, it should be pointed out that the regional German DPA of Schleswig-Holstein has already expressed a negative opinion on the use of the standard contractual clauses to solve the problem of the EU-US data transfer. Nevertheless, Schleswig-Holstein authority is known for its rigorous interpretation of data protection rules and its position may not be adopted by the other DPAs.