The Article 29 Working Party released a statement outlining the implications of the court decision invalidating the US-EU Safe Harbor.
For affected businesses, the three principal takeaways from the Working Party’s Statement are:
No Grace Period
There is no grace period for companies to comply with the decision. Data transfers currently occurring under the Safe Harbor are unlawful.
No Guaranteed Grounds for Data Transfer
Standard Contractual Clauses and Binding Corporate Rules (BCRs) may be used, but use of such mechanisms for data transfers will not preclude data protection authorities from investigating cases and exercising their enforcement powers.
Enforcement After January 2016
If the US and EU do not develop a solution by the end of January 2016, the Working Party and DPAs will assess the transfer tools available and have committed to taking “necessary and appropriate” action, including coordinated enforcement.
The Working Party called upon Member states and European authorities to work with the United States to find legal and technical solutions to enable the transfer of data while respecting fundamental rights, which could include a new Safe Harbor. The statement indicated the primary issue that must be addressed by such a solution is government surveillance.
