European Data Authorities React to Safe Harbor Invalidation

What’s the News?

Following the European Court of Justice’s decision to invalidate the safe harbor framework, multinational businesses have been clamoring for guidance regarding how best to comply with European Union data protection laws while transferring data from the EU to the United States. While regulators are actively working to develop a “Safe Harbor 2.0”—with some speculating that draft legislation may be finalized as early as mid-December 2015— no such framework has been released. Further, it has been widely recognized that all data transfers taking place based upon a previous reliance on the framework are now in violation of EU law unless a separate transfer rationale exists. Given these concerns, several EU data protection authorities (DPAs) have spoken out with some guidance.

What are EU DPAs Saying?

Many of the authorities are saying what the ECJ previously stated: safe harbor is invalid. That said, several notable authorities have spoken up to provide their position following the invalidation, including the following:

• Article 29 Working Party: The Article 29 Working Party is composed of DPAs from the various EU Member States and other EU data authorities and is tasked with promoting uniform application of the EU Data Directive and otherwise advising the EU regarding data protection concerns. The Working Party released a statement indicating that it is analyzing the impact of the Court’s decision on other transfer methods such as standard contractual clauses and binding corporate rules. It also stated that DPAs are authorized to take action involving these transfer methods if deemed necessary to protect EU consumers. Further, if no solution is created by the end of January 2016, the Working Party has indicated that the various DPAs are committed to taking action, up to a possible coordinated enforcement action.
• Germany: In Germany, alternative transfer methods are still considered largely acceptable. However, concerns have been raised. Notably, multinational companies may consider the following:
  • Consent: Specific consent may be provided by data subjects to permit the transfer of their data to the US. Consumers should be advised that data is being transferred to the US and the US has less stringent data protection requirements than the EU. Additionally, it may be advisable to notify consumers that they will not be able to exercise many of the rights conferred upon them in the EU once their data is transferred to the US.
  • Contractual Purpose: In some cases, data may be transferred where such transfer is necessary to fulfill the purpose of a contract. For example, a consumer would have to share personal information in order to book airline travel. However, use of this justification for data transfer is limited and may not apply in all situations.
• Spain: Following the invalidation of safe harbor, the Spanish DPA has mailed formal letters to data controllers in Spain that had previously relied upon the safe harbor to transfer data to the US. The letters require companies to provide information on how they will comply with data transfer requirements following the invalidation of safe harbor.

 
The EU Member States continue to scramble to make ad hoc decisions regulating the transfer of information to the US following the invalidation of the safe harbor framework. Additional updates are sure to be forthcoming. The fragmented response by the DPAs continues to demonstrate the urgent need for a singular framework.

What Does This Mean for Businesses with EU Ties?

As noted in our previous alert, businesses which deal with these issues are encouraged to take thoughtful action to assess data transfer from the EU to the US. In many cases, businesses will be able to rely upon clear and specific consent. For others, standard contractual clauses or binding corporate rules may be a better solution. That said, a solution should be carefully created following an assessment of specific business needs.