On October 6, 2015, the Court of Justice of the European Union
(CJEU) invalidated the decision underlying the European Union's
(EU) safe harbor structure for cross-border data transfers from the
EU to the United States in Schrems v.
Data Protection Commissioner of Ireland
(Schrems). Shortly following the CJEU's
decision, the Article 29 Data Protection Working Party (Working
Party) issued a statement outlining its views as to the
consequences of the CJEU decision in Schrems. The
decision may directly impact Canadian businesses which transfer
data from the EU to the United States or which host data in the
Safe Harbor and Schrems
Under the EU Data Protection Directive, personal
information of EU citizens can only be transferred from the EU to
countries with adequate data protection standards. Safe
Harbour, which was negotiated between the European Commission and
the United States Department of Commerce, was one of a number of
mechanisms available to EU companies to ensure there was an
adequate level of protection when transferring personal data of EU
citizens to the United States. To benefit from Safe Harbour,
a company was required to self-certify to the United States
Department of Commerce that it complied with specified EU privacy
In Schrems, the CJEU declared Safe Harbor
invalid. The CJEU held that ensuring an adequate level of
data protection for EU citizens, as is required by the EU Data
Protection Directive, means providing "a level of protection
of fundamental right and freedoms that is essentially equivalent to
that guaranteed within the European Union." The CJEU found
that Safe Harbor failed to meet this standard since it did not
prohibit the United States government from collecting and examining
the personal information of EU citizens.
The Working Party's Opinion
The Working Party is an advisory board consisting of EU data
protection authorities and was created pursuant to the EU Data
Protection Directive. The views of the Working Party are
typically followed by EU regulators.
On October 16, 2015, the Working Party issued a statement which
noted that it was still considering Schrems and
acknowledged the uncertainty Schrems has created. The
Working Party confirmed that certain other mechanisms permitting
the transfer of EU citizens' personal information to the United
States will remain valid, such as the "Standard Contractual
Clauses and Binding Corporate Rules". However, the Working
Party noted that this will not prevent EU data protection
authorities from investigating individual cases.
The Working Party emphasized the need for EU data protection
authorities to have a "robust, collective and common
position" to successfully implement Schrems. The
statement adopts the position that the core element to
Schrems was the issue of massive and indiscriminate
surveillance in the United States, which the Working Party
previously stated is incompatible with EU law.
In addition, the Working Party called on EU member states and
institutions to enter discussions with the United States in order
to find political, technical and legal solutions to enable
transfers of personal information to the United States, while
respecting the fundamental rights of EU citizens. The Working Party
stressed the need for "clear and binding mechanisms", as
well as "obligations on the necessary oversight of access by
public authorities, on transparency, on proportionality, on redress
mechanisms and on data protection rights".
In light of Schrems and the Working Party's
statement, it is likely that any future decisions by EU data
protection authorities with respect to adequate levels of
protection under EU safe harbour rules will include an analysis of
the laws and agreements regarding data transfer of the country to
which EU citizens' personal information is being
transferred. It will be worthwhile to monitor future
decisions of EU data protection authorities and whether they call
any other safe harbour structures into question.
Canadian businesses which rely on Safe Harbour to transfer
personal information of EU citizens from their operations in the EU
to the United States or which host personal information of EU
citizens with service providers operating in the United States
should promptly work to adopt one of the alternative means
available to comply with the EU Data Protection Directive.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).