ARTICLE
19 October 2015

EU Data Protection Authorities Issue Joint Statement On Invalidation Of Safe Harbor: Not Much Help Here

M
Mintz

Contributor

Mintz is a litigation powerhouse and business accelerator serving leaders in life sciences, private equity, sustainable energy, and technology. The world’s most innovative companies trust Mintz to provide expert advice, protect and monetize their IP, negotiate deals, source financing, and solve complex legal challenges. The firm has over 600 attorneys across offices in Boston, Los Angeles, Miami, New York, Washington, DC, San Francisco, San Diego, and Toronto.
US companies hoping for some guidance on managing cross-border data transfers will be sorely disappointed.
United States Privacy

The so-called "Article 29 Working Party" of EU Data protection officials from the 28 EU member states today released a much-anticipated press release regarding the Court of Justice of the European Union (CJEU) landmark decision invalidating the US-EU Safe Harbor framework.

US companies hoping for some guidance on managing cross-border data transfers will be sorely disappointed.

Regarding the practical consequences of the CJEU judgment, the Working Party considers that it is clear that transfers from the European Union to the United States can no longer be framed on the basis of the European Commission adequacy decision 2000/520/EC (the so-called "Safe Harbour decision"). In any case, transfers that are still taking place under the Safe Harbour decision after the CJEU judgment are unlawful. 

Further, although the statement indicates that the Working Party considers that Model Contracts or binding corporate rules "can still be used," the group reserves the right to investigate any privacy complaints that arise in relation to any such transfers.   In addition, unless the EU and US authorities agree on a Safe Harbor 2.0 or some other replacement, the statement says that the data protection authorities would consider taking "coordinated enforcement actions" against companies unlawfully transferring data.

The last paragraph of the statement sounds a warning to US businesses:

...in the context of the judgment, businesses should reflect on the eventual risks they take when transferring data and should consider putting in place any legal and technical solutions in a timely manner to mitigate those risks and respect the EU data protection acquis.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More