In the wake of the decision from the Court of Justice of the European Union deeming the Safe Harbor program invalid, businesses have been clamoring for guidance from regulators regarding how they will interpret and react to the case.
Last week, the Article 29 Working Party (a collection of data protection authorities from EU member states) weighed in with a brief statement, which carries great weight given the collection of such authorities, even if their pronouncements are technically non-binding. Their statement is the following:
- Current data transfers that rely upon Safe Harbor are unlawful.
- Standard contractual clauses and binding corporate rules can still be used. However, this does not prevent any data protection authorities from investigating cases to protect individuals.
- Member States and the United States should work to find political, legal and technical solutions to enable data transfers. The Safe Harbor negotiations, which have been ongoing for 2 plus years, could be part of the solution.
- If, by the end of January 2016, no solution with the United States is found, then the data protection authorities are committed to taking all necessary and appropriate actions, which may include enforcement.
This statement makes clear that those relying solely upon Safe Harbor for data transfers need to reassess their measures for ensuring adequacy and compliance with applicable law.
Click here to view our most recent alert regarding the Court of Justice of the European Union deeming the Safe Harbor program invalid and the impact this will have on businesses transferring personal data from the EU to the United States.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.