US and EU Need Safe Harbor Solution by End of January 2016 to Avoid Enforcement Action

Safe-Harbor

Written By ESR News Blog Editor Thomas Ahearn

In the wake of the landmark October 6, 2015 ruling by the Court of Justice of the European Union (CJEU) that invalidated the “Safe Harbor” data transfer pact between the United States (US) and European Union (EU), privacy watchdog group Article 29 Working Party has called on the US and EU to find a new solution by the end of January 2016 to avoid possible enforcement action, according to a statement from the Article 29 Working Party.

The Article 29 Working Party is an independent advisory body on data protection and privacy set up under Article 29 of the Data Protection Directive 95/46/EC and composed of representatives from the national data protection authorities of EU Member States, the European Data Protection Supervisor, and the European Commission. In their statement, the Article 29 Working Party wrote in part:

Therefore, the Working Party is urgently calling on the Member States and the European institutions to open discussions with US authorities in order to find political, legal and technical solutions enabling data transfers to the territory of the United States that respect fundamental rights. Such solutions could be found through the negotiations of an intergovernmental agreement providing stronger guarantees to EU data subjects. The current negotiations around a new Safe Harbor could be a part of the solution. In any case, these solutions should always be assisted by clear and binding mechanisms and include at least obligations on the necessary oversight of access by public authorities, on transparency, on proportionality, on redress mechanisms and on data protection rights.

In the meantime, the Working Party will continue its analysis on the impact of the CJEU judgment on other transfer tools. During this period, data protection authorities consider that Standard Contractual Clauses and Binding Corporate Rules can still be used. In any case, this will not prevent data protection authorities to investigate particular cases, for instance on the basis of complaints, and to exercise their powers in order to protect individuals.

If by the end of January 2016, no appropriate solution is found with the US authorities and depending on the assessment of the transfer tools by the Working Party, EU data protection authorities are committed to take all necessary and appropriate actions, which may include coordinated enforcement actions.

Regarding the practical consequences of the CJEU judgment, the Working Party considers that it is clear that transfers from the European Union to the United States can no longer be framed on the basis of the European Commission adequacy decision 2000/520/EC (the so-called “Safe Harbor decision”). In any case, transfers that are still taking place under the Safe Harbor decision after the CJEU judgment are unlawful.

Meanwhile, the U.S. Department of Commerce Safe Harbor webpage contains the following Advisory on the ruling by the CJEU that declared invalid the 15-year-old international data sharing pact known as Safe Harbor that was created in 2000 to allow companies to freely transfer the digital information of individuals between the United States and the European Union (EU). The Advisory reads:

On October 6, 2015, the European Court of Justice issued a judgment declaring as “invalid” the European Commission’s Decision 2000/520/EC of 26 July 2000 “on the adequacy of the protection provided by the safe harbor privacy principles and related frequently asked questions issued by the US Department of Commerce.”

In the current rapidly changing environment, the Department of Commerce will continue to administer the Safe Harbor program, including processing submissions for self-certification to the Safe Harbor Framework. If you have questions, please contact the European Commission, the appropriate European national data protection authority, or legal counsel.

Since 2000, the Safe Harbor Framework has proven to be critical to protecting privacy on both sides of the Atlantic and to supporting economic growth in the United States and the EU,” U.S. Secretary of Commerce Penny Pritzker said in a statement.  “Among other things, the decision does not credit the benefits to privacy and growth that have been afforded by this Framework over the last 15 years.”

esr-ad-1

As reported earlier on the ESR News Blog, the ruling that invalidated the Safe Harbor data transfer agreement stems from the case of Maximillian Schrems v. Data Protection Commissioner where an Austrian citizen and Facebook user lodged a complaint with the Irish supervisory authority about data provided to Facebook being transferred to servers located in the United States for processing.

The complaint from Schrems claimed the United States did not offer sufficient protection against surveillance by government authorities of data transferred to that country in light of the revelations made by former National Security Agency (NSA) contractor Edward Snowden. With Safe Harbor invalid, data privacy regulators in each EU nation will be able to examine claims by people such as Schrems.

Employment Screening Resources® (ESR) is closely monitoring the Safe Harbor situation and will provide updates. ESR announced the successful completion of SOC 2® Type 2 Data Security Audit confirming ESR meets standards set by the American Institute of Certified Public Accountants (AICPA) to protect the security, confidentiality, and privacy of consumer data. To learn more, visit www.esrcheck.com/SOC-2/.

© 2015 Employment Screening Resources® (ESR) – Making copies or using of any part of the ESR News Blog or ESR website for any purpose other than your own personal use is prohibited unless written authorization is first obtained from ESR.