EU Privacy Chiefs Give Companies Until January for Data Transfer Compliance Before Possible Enforcement
Data transfers still taking place under the safe harbor agreement are "unlawful," EU data protection authorities confirmed Friday. In a statement following a meeting on the ramifications of the Oct. 6 European Court of Justice (ECJ) decision killing safe harbor (See 1510060001">1510060001), the Article 29 Data Protection Working Party (WP) "urgently" called on EU governments and institutions to "open discussion with US authorities" on legal and technical solutions to allow data to flow while respecting privacy rights. The group of national privacy authorities said it will launch "appropriate" national information campaigns that could include direct contact with all known companies that used to rely on the agreement. The statement shows the WP is trying to balance concerns for safe data flows with reasonable expectations, said Hogan Lovells (London) data protection attorney Eduardo Ustaran.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
EU data protection authorities "consider that it is absolutely essential to have a robust, collective and common position" on how to implement the ECJ judgment, the WP said. Its analysis of the case rested partly on the question of massive, indiscriminate surveillance, it said. Information transfers to non-EU countries where state authorities can access the data "go beyond what is necessary in a democratic society" and aren't safe destinations for transfers, it said. National governments and EU bodies should now open talks with the U.S. on possible solutions, which could include an intergovernmental accord that grants stronger guarantees to EU data subjects, the WP said. The current negotiations on a new safe harbor could be part of the solution, but any resolution must include requirements for oversight of access by public agencies, transparency, proportionality, redress mechanisms and data protection rights, it said.
Meanwhile, privacy chiefs said they would continue to analyze the decision's impact on other data transfer tools. During this time, companies can use standard contractual clauses and binding corporate rules, but that won't stop data protection authorities from investigating particular cases when, for example, there are complaints, they said. If by the end of January no appropriate solution with the U.S. has been found, and depending on their assessment of the other data transfer tools, "data protection authorities are committed to take all necessary and appropriate actions, which may include enforcement actions," the WP said. Businesses should "reflect on the eventual risks they take" when sending data to the U.S. and consider adopting legal and technical mechanisms in a timely manner to mitigate the risks, it said.
The message is that "Safe Harbor 1.0" is gone because it doesn't deal with indiscriminate surveillance, Ustaran emailed. "Safe Harbor 2.0" could be part of a future solution, but for now, the other tools are the way to go although they could be subject to investigation at any time, he said. Companies have until the end of January to comply, he said. The WP appears to be trying to "strike a balance between reiterating their emphasis on safe data flows and being reasonable in their expectations."
In a resolution approved Oct. 12, the European Parliament Civil Liberties Committee pressed the EC to "immediately" come up with alternatives to safe harbor and report to it by year's end. Failure to do so could force Parliament to bring an action or "place certain budgetary resources for the Commission in a reserve until all recommendations have been properly addressed," a news-media statement said.