On Friday, October 16, 2015, the Article 29 Working Party
("WP29") released a statement on the decision of the Court of
Justice of the European Union ("CJEU") in the case Schrems v Data Protection Commissioner
(C-362-14), the landmark decision which invalidated the
decision of the European Commission underpinning the Safe Harbour
framework by which personal information was permitted to move from
the EU to the United States.
Status of Model Contract Clauses and Binding Corporate
The WP29 stated that it was still considering the
Schrems decision and acknowledged the uncertainty that the
decision had caused, emphasizing that "data protection
authorities ("DPAs") consider that it is absolutely
essential to have a robust, collective and common position on the
implementation of the judgment."
During the WP29's evaluation period, it suggests that
certain similar mechanisms for rendering lawful a transfer of data
from the EU to the United States remain valid. In particular, WP29
advises that during its evaluation period, "data protection
authorities consider that Standard Contractual Clauses and Binding
Corporate Rules can still be used". Accordingly, while certain
data protection commissioners have doubted the validity of these
mechanisms, it appears that the majority of commissioners will
accept them as legitimate at least for a transitional period. WP29
goes on to note, however, that this will not prevent DPAs from
investigating individual cases.
Transfers Considered Unlawful – Enforcement by January 1,
The WP29 also unequivocally stated its view that "it is
clear that transfers from the European Union to the United States
can no longer be framed on the basis of the European Commission
adequacy decision 2000/520/EC (the so-called "Safe Harbour
decision")." It then goes on to say that (emphasis added)
"transfers that are still taking place under the Safe
Harbour decision after the CJEU judgment are
Businesses will have a short timeline in which to bring
themselves into compliance. The WP 29 has set a 3-month deadline
for the EU and United States to conclude negotiations and implement
a new safe harbour regime. It has warned that "[i]f by the end
of January 2016, no appropriate solution is found with U.S.
authorities and depending on the assessment of the transfer tools
by the Working Party, EU data protection authorities are committed
to take all necessary and appropriate actions, which may include
coordinated enforcement actions."
Other Points in the WP29 Statement
In WP29's view, the "the question of massive and
indiscriminate surveillance is a key element of the Court's
analysis" in Schrems and warned that such
surveillance is "is incompatible with the EU legal
framework" and warned that the transfer of personal
information to third countries "where the powers of state
authorities to access information go beyond what is necessary in a
democratic society will not be considered as safe destinations for
This implies that any future adequacy decisions from DPAs will
undertake a broad analysis of the third country's domestic laws
and international commitments. In this regard, there is a risk that
Canada's PIPEDA will be called into question in light of this
country's relationship (formal and otherwise) with the United
States and Canada's recent data legislation (in particular Bill
C-51, introduced by the Canadian federal government and affording
Canadian law enforcement officials greater access to data). It is
an open question as to whether this constellation of factors could
push Canada into the realm of "inadequate" safeguards
insofar as the EU is concerned.
Likewise, there remains a risk that other bases for sending data
from the EU to the United States will be threatened by this
interpretation of Schrems. In particular, in a number of
circumstances, it is unclear whether an importer of data in the
United States can make the strong warranties required by the model
contract clauses or the binding corporate rules, if similar
guarantees were deemed inadequate under the now-invalidated Safe
Businesses will want to pay close attention to the ongoing Safe
Harbour negotiations between the EU and the United States, and in
the interim, seriously consider rerouting data flows, evaluate the
risks and benefits of model contract clauses and binding corporate
rules, and re-evaluate their collection and transfer of personal
information where possible.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).