The so-called “Article 29 Working Party” of EU Data protection officials from the 28 EU member states today released a much-anticipated press release regarding the Court of Justice of the European Union (CJEU) landmark decision invalidating the US-EU Safe Harbor framework.
US companies hoping for some guidance on managing cross-border data transfers will be sorely disappointed.
Regarding the practical consequences of the CJEU judgment, the Working Party considers that it is clear that transfers from the European Union to the United States can no longer be framed on the basis of the European Commission adequacy decision 2000/520/EC (the so-called “Safe Harbour decision”). In any case, transfers that are still taking place under the Safe Harbour decision after the CJEU judgment are unlawful.
Further, although the statement indicates that the Working Party considers that Model Contracts or binding corporate rules “can still be used,” the group reserves the right to investigate any privacy complaints that arise in relation to any such transfers. In addition, unless the EU and US authorities agree on a Safe Harbor 2.0 or some other replacement, the statement says that the data protection authorities would consider taking “coordinated enforcement actions” against companies unlawfully transferring data.
The last paragraph of the statement sounds a warning to US businesses:
…in the context of the judgment, businesses should reflect on the eventual risks they take when transferring data and should consider putting in place any legal and technical solutions in a timely manner to mitigate those risks and respect the EU data protection acquis.