03 November 2015
Schrems v Data Protection Commissioner summary
The Schrems decision (in which the Court of Justice of the European Union invalidated the Safe Harbour agreement as a means of legitimising transfers of personal data between the EU and the USA) has generated many column inches since its release earlier this month.
There remains a degree of uncertainty as to what will happen next and whether a revised agreement can be reached. In the interim, businesses have been forced to consider how they can utilise alternative mechanisms to ensure they continue to operate lawfully in this area.
Another Safe Harbour?
The EU’s Article 29 Working Party1 has released a statement calling for continued negotiations between the authorities in the EU and the USA and emphasising the need for businesses to assess the use of alternative mechanisms. If no solution has been agreed by the end of January 2016, the Working Party has said that enforcement steps will then be taken. Whilst this affords businesses a period of time to effect any necessary changes, it is not long and a review of data transfers should be initiated immediately. It is worth noting that Standard Contractual Clauses and Binding Corporate Rules can be used in the interim.
However, whilst the January 2016 deadline acts as some comfort, the Working Party did confirm that its position would not prevent individual data protection authorities from investigating individual complaints and taking enforcement steps as appropriate.
The Data Protection Commissioner for Guernsey and Information Commissioner for Jersey (both roles are fulfilled by one person) has yet to give a formal statement as to her position in light of the Article 29 statement, but it is anticipated that she will adopt a similar stance to that of the Working Party.
The European Justice Commissioner Vera Jourova indicated last week that an agreement “in principle” had been reached, but that further discussions were needed on the detail, in particular on the technical issues, the extent to which US intelligence services would have access to the personal data of EU citizens and ensuring that any agreement is compliant with the Schrems decision.
The Article 29 Working Party has also indicated it would release a formal statement in response to the Schrems decision in the coming weeks. The UK’s Information Commissioner’s Office has also commented on the decision.
It is anticipated that further news will emerge in the next month, with Commissioner Jourova scheduled to visit the USA in mid-November. It is clear that progress is being made, but whether agreement can be reached in time for January 2016 (or at all) remains to be seen.
In the interim, companies should review their data transfers and assess whether changes need to be made, considering in particular the use of alternative mechanisms, alterations to contractual documents and amendments to any existing privacy policies.
1 This is made up of representatives from the data protection authority of each EU member state, the European Data Protection Supervisor and the European Commission.