Following the landmark ruling of the Court of Justice of the European Union (CJEU) of 6 October 2015 in the Maximilian Schrems v Data Protection Commissioner case (C-362-14), the EU data protection authorities assembled in the Article 29 Working Party have discussed the first consequences to be drawn at European and national level. EU data protection authorities consider that it is absolutely essential to have a robust, collective and common position on the implementation of the judgment. Moreover, the Working Party will observe closely the developments of the pending procedures before the Irish High Court.
First, the Working Party underlines that the question of massive and indiscriminate surveillance is a key element of the Court’s analysis. It recalls that it has consistently stated that such surveillance is incompatible with the EU legal framework and that existing transfer tools are not the solution to this issue. Furthermore, as already stated, transfers to third countries where the powers of state authorities to access information go beyond what is necessary in a democratic society will not be considered as safe destinations for transfers. In this regard, the Court’s judgment requires that any adequacy decision implies a broad analysis of the third country domestic laws and international commitments.
Therefore, the Working Party is urgently calling on the Member States and the European institutions to open discussions with US authorities in order to find political, legal and technical solutions enabling data transfers to the territory of the United States that respect fundamental rights. Such solutions could be found through the negotiations of an intergovernmental agreement providing stronger guarantees to EU data subjects. The current negotiations around a new Safe Harbour could be a part of the solution. In any case, these solutions should always be assisted by clear and binding mechanisms and include at least obligations on the necessary oversight of access by public authorities, on transparency, on proportionality, on redress mechanisms and on data protection rights.
In the meantime, the Working Party will continue its analysis on the impact of the CJEU judgment on other transfer tools. During this period, data protection authorities consider that Standard Contractual Clauses and Binding Corporate Rules can still be used. In any case, this will not prevent data protection authorities to investigate particular cases, for instance on the basis of complaints, and to exercise their powers in order to protect individuals.
If by the end of January 2016, no appropriate solution is found with the US authorities and depending on the assessment of the transfer tools by the Working Party, EU data protection authorities are committed to take all necessary and appropriate actions, which may include coordinated enforcement actions.
Regarding the practical consequences of the CJEU judgment, the Working Party considers that it is clear that transfers from the European Union to the United States can no longer be framed on the basis of the European Commission adequacy decision 2000/520/EC (the so-called “Safe Harbour decision”). In any case, transfers that are still taking place under the Safe Harbour decision after the CJEU judgment are unlawful.
In order to ensure that all stakeholders are sufficiently informed, EU data protection authorities will put in place appropriate information campaigns at national level. This may include direct information to all known companies that used to rely on the Safe Harbour decision as well as general messages on the authorities’ websites.
In conclusion, the Working Party insists on the shared responsibilities between data protection authorities, EU institutions, Member States and businesses to find sustainable solutions to implement the Court’s judgment. In particular, in the context of the judgment, businesses should reflect on the eventual risks they take when transferring data and should consider putting in place any legal and technical solutions in a timely manner to mitigate those risks and respect the EU data protection acquis.