Safe Harbour is invalid – What’s the impact of the recent decision by the European Court of Justice

By | Monday October 26th, 2015

On 6 October the European Court of Justice (CJEU) adopted a fundamental decision on transfer of personal data between the EU and the USA. In case C-362/14 Maximillian Schrems vs. Data Protection Commissioner the CJEU ruled that the Commission decision 2000/520, which states that the USA under the procedure known as “safe harbor” ensure adequate level of protection of personal data transferred, is invalid.

I don’t spend more time to talk about the details of the judgment because it has been widely reported everywhere , anyway follow this link, if you need to read the judgment
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&docid=169195&occ=first&dir=&cid=93767

The goal of this topic is to report what were the first reactions by authorities
and what could be the impact of this decision for General Data Protection Regulation (GDPR)

The CJEU held that national supervisory authorities have the power to examine with complete independence whether the transfer of a person’s data to a third country complies with the requirements laid down by the Data Protection Directive.

Following this declaration, The Article 29 Working Party (WP29) released, on 16 October 2015, a statement following the ruling of the CJEU

the WP29 urgently calling on the Member States and European institutions to open discussions with U.S. authorities in order to find legal and technical solutions, that would enable data transfers while respecting fundamental rights. The WP29 considers that the “current negotiations around a new Safe Harbor could be part of the solution”

The WP29 has advised that while it considers the scope of the CJEU decision, “During this period, data protection authorities consider that Standard Contractual Clauses and Binding Corporate Rules can still be used”; however, this will not prevent national data protection authorities (DPAs) from investigating individual cases.
Prior to statement from the WP29, few DPAs had issued formal guidance regarding the impact of the CJEU decision, although some had released statements suggesting the continued viability of alternative legal mechanisms for EU-US data transfers.
Following these links you view the statements made by some DPA in the European jurisdictions :
Belgium
http://www.privacycommission.be/fr/La-cour-de-justice-de-lunion-europeenne-sest-prononcee-sur-la-sphere-de-securite

France
http://www.cnil.fr/linstitution/actualite/article/article/invalidation-du-safe-harbor-par-la-cour-de-justice-de-lunion-europeenne-une-decision-cl/

Germany
http://www.bfdi.bund.de/DE/Infothek/Pressemitteilungen/2015/21_EuropaeischerGerichtshofKipptSafeHarbor.html?nn=5217040

Italy
http://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/4308245

Spain
http://www.agpd.es/portalwebAGPD/revista_prensa/revista_prensa/2015/notas_prensa/news/2015_10_06-ides-idphp.php

As noted above, the statements provide a measure of reassurance for businesses, as it appears that, at least in the near term, companies can continue to rely upon Standard Contractual Clauses and Binding Corporate Rules as legal bases for their EU-US data transfers.
and what about the future ? what impact regards the proposed general data protection regulation (GDPR) ?

While the GDPR already includes detailed provisions governing jurisdiction and data transfers, the lack of an agreed text and the protracted timeline for implementation do not offer any immediate solutions to companies impacted by the Safe Harbour decision.

Category: Legal framework Open Forum Tags: ,

About Alessandro Cosenza

He is the Chief Information Security Officer (CISO) @ Bticino. He is responsible for maintaining the enterprise vision of ITC department . He works to ensure information assets and technologies are adequately protected. He manages the team in order to , develop, implements and maintain processes across the organization to reduce information and information technology (IT) risks. He works as a Data Privacy Officer regarding the ITC department . In this role he oversees all the activities related to the development, implementation, maintenance and adherence to the organisation’s privacy policies and procedures related the ITC department. He holds the ISACA certifications, Certified Information Security Auditor (CISA) and He is also member of CLUSIT (Associazione Italiana per la Sicurezza Informatica He partecipated and obtained a university certificate regards the course in "Computer forensics e Data protection" in the University of Milan, Faculty of Law

3 thoughts on “Safe Harbour is invalid – What’s the impact of the recent decision by the European Court of Justice

  1. Alessandro Cosenza Post author

    Important statement 2 days ago by EU Commissioner Věra Jourová in a speech at Strasbourg . She said that there are agreements “in principle” already in place with the U.S. Department of Commerce on a new version of Safe Harbor.
    However, it was clear that there remain a number of critical negotiating points.
    Jourová said there have already been “several meetings at a technical level” between the Commission and the U.S. and that she had spoken with U.S. Commerce Secretary Penny Pritzker earlier that same day of the judgment.
    for reading the complete speech follow this link :
    http://europa.eu/rapid/press-release_SPEECH-15-5916_en.htm

    1. Alessandro Vallega

      Thank you Alessandro very interesting. I am organizing in Oracle a meeting to discuss these important topic. I will make sure to let you know the exact date…. Cloud Providers are putting a lot of attention to this.

  2. Alessandro Cosenza Post author

    The Spanish Data Protection Authority (AEPD ) published the guidelines to companies in order to regulate the data transfer to USA.
    AEPD sent a letter to all spanish companies that required to adopt BCR.
    The letter informs that not later than January 29, 2016 all companies will have to adapt to following:

    The transfer is made with the data subject’s unambiguous consent;
    is necessary for the performance of a contract with, or in the interests of, the data subject;
    results from a treaty or convention to which Spain is a party;
    is necessary or legally required to safeguard public interest, provide judicial aid, medical care, or support legal claims;
    is necessary to protect the vital interests of the data subject;
    or is made from a public register.

    I think like to Spain, other authorities will write their guideline in the coming months
    Last week i was in Italian autorithy (Garante per la protezione dei dati personali) and they said me that are working to define a decision regarding the CJEU judgment . Maybe until the end of the year they will publish it

Leave a Reply