For those who missed the turmoil caused by the ‘Schrems’ judgment of the EU Court of Justice of 6 October 2015, in short, the CJEU:
- declared the decision of the European Commission, establishing the ‘adequacy’ of the Safe Harbour self-certification system for EU-US data transfers, invalid;
- rendered all data transfers to the US, based on the Safe Harbour regime, unlawful with immediate effect; and
- expressly confirmed that national data protection authorities may investigate complaints alleging that any third country does not ensure an adequate level of data protection and, where appropriate, suspend/prohibit the data transfers to such country.
This judgment has far-reaching consequences for companies operating internationally. EU companies who, in the past, have been reliant on the Safe Harbour certification of their US-based affiliates, service providers or other contract partners, now have to find another way to legitimize their data transfers. Non-compliant data controllers run the risk of substantial fines (of up to EUR 600,000 in Belgium).
In a joint statement published on 16 October 2015, the EU data protection authorities:
- agree with the CJEU that transfers to third countries, where the powers of state authorities to access information go beyond what is necessary in a democratic society, are not to be considered as safe destinations for data transfers;
- call on the Member States and the European institutions to open discussions with US authorities in order to find political, legal and technical solutions enabling data transfers to the US that respect fundamental rights (cf. the ongoing negotiations concerning a possible new Safe Harbour);
- announce that they will continue their analysis of the impact of the CJEU judgment on other international data transfer tools (such as Standard Contractual Clauses and Binding Corporate Rules); In the meanwhile, these mechanisms can still be used, without prejudice, however, to the national data protection authorities’ powers to investigate the legality of data transfers in particular cases;
If by the end of January 2016, no appropriate solution is found with the US authorities, and subject to the assessment of the other data transfer tools, EU data protection authorities are committed to take all necessary and appropriate measures, which may include coordinated enforcement.
Regarding the practical consequences of the ‘Schrems’ judgment, the EU data protection authorities consider:
- that it is clear that EU-US data transfers can no longer be based on the Safe Harbour self-certification system;
- that current transfers on this basis, are unlawful; and
- that businesses should reflect on the potential risks they may incur when transferring data and should consider timely implementation of legal and technical solutions to mitigate those risks and comply with the EU data protection principles.
Click here to read a more detailed analysis of the ‘Schrems’ judgment (case C-362/14).