The Schrems decision (in which the Court of Justice of the
European Union invalidated the Safe Harbour agreement as a means of
legitimising transfers of personal data between the EU and the USA)
has generated many column inches since its release earlier this
month. There remains a degree of uncertainty as to what will happen
next and whether a revised agreement can be reached. In the
interim, businesses have been forced to consider how they can
utilise alternative mechanisms to ensure they continue to operate
lawfully in this area.
Another Safe Harbour?
The EU's Article 29 Working Party1 has released a
statement calling for continued negotiations between the
authorities in the EU and the USA and emphasising the need for
businesses to assess the use of alternative mechanisms. If no
solution has been agreed by the end of January 2016, the
Working Party has said that enforcement steps will then be
taken. Whilst this affords businesses a period of time to
effect any necessary changes, it is not long and a review of data
transfers should be initiated immediately. It is worth noting
that Standard Contractual Clauses and Binding Corporate Rules
can be used in the interim.
However, whilst the January 2016 deadline acts as some comfort,
the Working Party did confirm that its position would not
prevent individual data protection authorities from
investigating individual complaints and taking enforcement
steps as appropriate.
The Data Protection Commissioner for Guernsey and Information
Commissioner for Jersey (both roles are fulfilled by one
person) has yet to give a formal statement as to her position
in light of the Article 29 statement, but it is anticipated that
she will adopt a similar stance to that of the Working
The European Justice Commissioner Vera Jourova indicated last
week that an agreement "in principle" had been
reached, but that further discussions were needed on the
detail, in particular on the technical issues, the extent to which
US intelligence services would have access to the personal
data of EU citizens and ensuring that any agreement is
compliant with the Schrems decision.
The Article 29 Working Party has also indicated it would release
a formal statement in response to the Schrems decision in the
coming weeks. The UK's Information Commissioner's
Office has also commented on the decision (see here)
It is anticipated that further news will emerge in the next
month, with Commissioner Jourova scheduled to visit the USA in
mid-November. It is clear that progress is being made, but
whether agreement can be reached in time for January 2016 (or
at all) remains to be seen.
In the interim, companies should review their data transfers and
assess whether changes need to be made, considering in
particular the use of alternative mechanisms, alterations to
contractual documents and amendments to any existing privacy
1 This is made up of representatives from the data
protection authority of each EU member state, the European
Data Protection Supervisor and the European
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).