The so called Article 29 Working Party met on October 15, 2015 to discuss the consequences of the Schrems Judgment of the European Court of Justice (ECJ). On October 16, 2015, the Working Party published a Statement summarizing their initial conclusions. The Working Party includes representatives of the national data protection authorities of the EU Member States, the European Data Protection Supervisor and the European Commission.
The Working Party states that data transfers made under Safe Harbor are unlawful following the Judgment. However, enforcement actions of the national data protection authorities shall only take place, if no other solution is found by the end of January 2016. In the opinion of the Working Party, such solution could include an intergovernmental agreement between the EU and US with reference to a revised Safe Harbor framework. It will be seen whether the US government will be able to agree to limit law enforcement access and to provide remedies for data subjects as required by the European Court of Justice, to the satisfaction of the EU. Due to this uncertainty, businesses will not be able to wait until January 2016, because they will not be able to implement alternative solutions in time, if the governments do not agree.
The Working Party was not able to agree on the treatment of Model Clauses, Binding Corporate Rules or consent. Instead, the Working Party agreed to continue to analyze the impact of the Judgment on other transfer tools. For the time being, they accept that Model Clauses can be used. In initial statements, the European Commission and some national data protection authorities have expressed different views on the future use of these instruments in light of the Schrems Judgement. On October 14, the data protection authority in the German State Schleswig-Holstein published a Position Paper declaring all these instruments were likely to be invalid due to the surveillance activities and the lack of remedies in the US. Authorities in other German States (Bremen, Hamburg and Berlin) have voiced similar views prior to the Article 29 Working Party meeting this week.
On the other side of the Atlantic, rumor on the hill is that the US is gearing up to look at the legislative solution. The US could theoretically pass laws to permit EU citizens to take action in the US, and there is a bill advancing in the House and Senate that may well be signed into law before year end. Importantly, this bill does not amend the law in ways that go to the heart of the Schrems complaint and ensuing ECJ decision. The present legislative initiative on the issue (Judicial Redress Act) extends to citizens of EU countries the same rights US citizens have to seek redress in court regarding US Government data practices. This bill, if adopted as currently drafted, would not apply to data collected or held by US intelligence services. Therefore, the extension of rights and access to court will not solve the issues raised by the European Court of Justice. Rather, its impact will principally pertain to criminal, medical, financial, or educational records, which are not relevant to the “mass surveillance” concerns of the ECJ, European Commission, or the many advocacy groups arrayed against the adequacy if US privacy laws. While the Judicial Redress Act, if passed, would be a bona fide and meaningful extension of rights, it will not fix Schrems-related gaps in access or redress.
What does this mean? It seems that companies have to the end of January 2016 before the data protection authorities will start enforcement, at least in the absence of complaints. Although the Working Party’s view points to the use of Model Clauses being a good interim step (Binding Corporate Rules of course being no solution for companies that do not already have them in place given the lead time for approval), it provides no long term comfort in relation to any of the current mechanisms, instead emphasizing that it will take political will on both sides of the Atlantic to provide a long term solution.