The awaited reaction by the Article 29 Working Party on the Judgment of the Court of Justice of the European Union of 6 October invalidating the Safe Harbor1 system (the "Judgment") was published on Friday 16 October (the "Statement"). The Statement is significant because it is the first official joint reaction to the Judgment by European data protection authorities (including the Spanish Data Protection Authority, the "SDPA"), which had already stated individually in their own jurisdictions that they will seek common approaches to implement the Judgment consistently across Member States.
What have the authorities stated through this common forum?
Although they were expected to issue a reassuring message to European companies which have been carrying out international transfers of personal data to the US based on the Safe Harbor system up until the Judgment, their initial response has surprised the market because it has given rise to further uncertainty.
The following are the main conclusions of the Statement:
TRANSFERS BASED ON THE SAFE HARBOR SYSTEM
International data transfers which were based on the Safe Harbor system and that are still being carried out are unlawful.
This statement is of little substance because these transfers were considered unlawful as a direct consequence of the Judgment. However, this unlawfulness is particularly relevant in Spain, in which illicit international data transfers are sanctioned with fines of up to EUR 600,000.
EFFECTS ON TRANSFERS TO THE US BASED ON OTHER LEGAL GROUNDS
The European authorities underline that the Judgment considers that the authorities of the country receiving the data carries out "mass and indiscriminate surveillance" on the data of European citizens to be contrary to European regulations.
In this regard, the Article 29 Working Party states that it is analyzing the potential effects of the Judgment beyond the invalidated Safe Harbor system, that is, its potential impact on other legal mechanisms for data transfers insofar as these mechanisms do not solve potential "interferences" by the public authorities of the host country either. In this way, doubt has been cast over some legal mechanisms of data transfers to the US such as the Standard Contractual Clauses ("SCCs") or Binding Corporate Rules ("BCRs"), the use of which in Spain requires the authorization of the Director of the SDPA.
However, the Statement clarifies that, while this analysis is being carried out, legal mechanisms such as SCCs or BCRs may still be used, without prejudice to the powers of the authorities, in the case of Spain the SDPA, to investigate individual complaints or to carry out any actions needed to guarantee the rights of citizens.
HOW CAN THIS UNCERTAINTY BE RESOLVED?
The Statement does not offer specific solutions for the companies affected by the Judgment which, in addition to not being able to use the Safe Harbor system, are concerned about how the validity of other legal mechanisms may be brought into question in the future. The Article 29 Working Party has invited the Member States, the European Union institutions and the US authorities to resolve this uncertainty themselves, urging them to start negotiations to come up with solutions in order to be able to carry out international data transfers to the US without violating the fundamental rights of European citizens (e.g. the Safe Harbor 2.0 agreement that is currently being negotiated).
HAVE THE AUTHORITIES GIVEN A DEADLINE?
Yes, if by the end of January 2016, no agreement with the US authorities has been reached, and depending on the conclusions of the Article 29 Working Party regarding the other data transfer mechanisms (such as SCCs or BCRs), the European data protection authorities undertake to adopt and initiate any actions deemed necessary and appropriate, which may include coordinated actions to enforce the law.
WHAT IS ASKED OF THE COMPANIES?
The European authorities have asked the companies to start
- evaluating the potential risks each of them is assuming if and when transferring personal data to the US; and
- implementing all legal and technical solutions available to mitigate these risks and respect data protection regulations.
In addition to the public information campaigns that will be carried out by each national authority, the Article 29 Working Party does not rule out directly informing the companies which they know that have based their international transfers on the Safe Harbor system. Through the Statement, the authorities have asked companies to act now in order to legalize transfers carried out on the basis of the Safe Harbor system and to do so in an uncertain legal framework, while the market awaits definitive institutional and political solutions to this situation. Companies and their directors should at least take steps that will allow them to prove that they have acted with an appropriate level of diligence under the circumstances.