Companies Face ‘Safe Harbour’ Legal Action After 31 January

Companies continuing to transfer EU individuals’ personal data to the US under ‘Safe Harbour’ rules will face legal action beginning at the end of January 2016.

This is unless a new agreement is reached between the EU and the US by that time, European data protection regulators have said.

The regulators are currently meeting in Brussels to discuss the implications of a decision by the European Union Court of Justice (CJEU) two weeks ago to strike down Safe Harbour, which was used by around 4,000 companies to facilitate data transfers between the two territories.

In a statement issued on Friday, they confirmed that transfers can no longer legally be carried out under Safe Harbour rules.

“Transfers that are still taking place under the Safe Harbour decision after the CJEU judgment are unlawful,” they wrote.

The EU and the US have been in negotiations for the past two years over a new agreement to replace Safe Harbour that would better protect data transferred to the US, after former NSA contractor Edward Snowden provided evidence of the US government’s mass data collection programmes.

The question of mass data collection came up again in a data protection case brought by law student Max Schrems against Facebook, and it was this case which led to the CJEU’s decision.

The regulators emphasised that the question of mass surveillance was central to the CJEU’s decision.

Mass data surveillance

“The question of massive and indiscriminate surveillance is a key element of the Court’s analysis,” they stated. “It recalls that it has consistently stated that such surveillance is incompatible with the EU legal framework and that existing transfer tools are not the solution to this issue.”

The regulators called on the EU and the US to “urgently” work toward a new data transfer agreement, but said such an agreement must provide “stronger guarantees to EU data subjects” accompanied by “clear and binding mechanisms” and “oversight of access by public authorities”.

If no such agreement is found by the end of January, the regulators said they would consider large-scale actions to enforce data protection rules.

“If by the end of January 2016, no appropriate solution is found with the US authorities and depending on the assessment of the transfer tools… EU data protection authorities are committed to take all necessary and appropriate actions, which may include coordinated enforcement actions,” they wrote.

Data transfer ‘risks’

The regulators noted that more specialised data transfer mechanisms called standard contractual clauses and binding corporate rules are unaffected by the court’s decision, and affirmed that data protection authorities remain free to investigate particular cases at any time.

They said information campaigns are planned at a national level to keep companies who previously relied upon Safe Harbour up to date, and insisted upon the shared responsibility of data protection authorities, EU institutions, EU member states and businesses to find “sustainable solutions” to implement the court’s judgment.

“In the context of the judgment, businesses should reflect on the eventual risks they take when transferring data and should consider putting in place any legal and technical solutions in a timely manner to mitigate those risks and respect the EU data protection acquis,” the regulators stated.

The statement was issued by the Article 29 Working Party on the Protection of Individuals with regard to the Processing of Personal Data, which includes representatives from the national data protection authorities of the EU’s member states, the European data protection supervisor and the European Commission, and whose role is to coordinate the application of data protection rules across the EU.

Are you a security pro? Try our quiz!