The Article 29 Working Party issues a statement

The European Court of Justice has in its recent landmark ruling of 6 October 2015 in the Maximillian Schrems vs Data Protection Commissioner case (C-362-14) invalidated the decision of the European Commission dated 26 July 2000. The now invalidated decision of the European Commission made it possible to transfer personal data from the European Union to the United States provided the receiving company adhered to the Safe Harbour Principles through a system of self-certification.

The European Court of Justice based its ruling of invalidation on the following. The Safe Harbour Principles are solely applicable to the self-certified American organizations. The Safe Harbour Principles do not have a binding effect on American government agencies. In the event such agencies consider matters of National security, public interest or law enforcement to be at stake, American organizations are obligated – without being able to rely on restrictions or conditions to safeguard the privacy of the data subjects in question – to give such government agencies access to/ insight into personal data stored by such company, regardless whether such organization adheres to the Safe Harbour Principles.

The invalidated decision did not identify if any US government rules exist that safeguard the privacy of European citizens in such instances. The Fourth Amendment of the United States does not protect non-American citizens outside of America.

Nor did the invalidated decision of the European Commission identify whether it is possible for European citizens to seek legal protection in the US if they believe their privacy to be violated. Such law is currently in the making but is not yet in effect as of this date.

Regulation which in general makes massive and indiscriminate surveillance possible of all personal data transferred from European Union to the United States and/or stored by an American organization within the European Union without the required purpose limitation, proportionality and subsidiarity, is not in line with the European privacy safeguards.

As of the date of the judgment of the European Court of Justice (October 6th 2015) transfer of personal data to the US relying on the Safe Harbour Principles is unlawful.

The Article 29 Working Party has issued a statement on October 16th regarding its analysis on the impact of the European Court of Justice ruling in the Schremm case. The Working Party states herein that for the transfer of personal data to the United States companies can until further notice still make use of (a) standard EC Model Clauses; (b) Binding Corporate Rules (BCR’s). In the Netherlands a company can also make use of amended EC Model Clauses or its own privacy clauses provided it has been granted a permit thereto by the Ministry of Security and Justice of the Netherlands.

The Working Party shall continue its analysis of transfer tools such as the EC standard Model Clauses in the light of the European Court of Justice ruling in the Schrems case. The Safe Harbour Principles itself were not the main issue but the possibility of massive and indiscriminate surveillance. Use of the standard EC model clauses and BCR’s does not change that. The Article 29 Working Party stresses that existing transfer tools are not the solution to this issue. The Working Party has called on the Member States and European institutions to negotiate with American authorities in order to come up with a solid solution. In the meantime dataprotection authorities will however continue to allow the use of standard EC Model clauses and BCR’s as transfer tools. It should be stressed that putting such documents in place is not enough. Taking the appropriate technological and/or organizational measures is essential. The use of alternative existing transfer tools such as the standard EC Model Clauses, do not stop the dataprotection authorities from investigating the transfer of personal data to the United States in order to protect data subjects.

A company making use of processors such as cloud service providers, hosting providers and other relevant companies subject to the jurisdiction of the United States (such as entities based in the US, entities with one or more subsidiaries or offices in the US), including sub-processors thereof, will need to assess the risks involved with regard to the (sub)processing of personal data within the context of the landmark ruling of 6th October (Maximillian Schrems vs Data Protection Commissioner case) and to put into place any additional or amended technological and/or organizational measures in compliance with the applicable privacy laws.

Contact
If you would like to know more about the impact of the European Court of Justice ruling for your company, please contact mr. I.M. Tempelman.

The full text of the European Court of Justice ruling of 6th October in the Maximillian Schrems vs Data Protection Commissioner case (C-362-14) can be read here.

The full text of the statement of the Article 29 Working Party of 16th October can be read here.