Companies Face Safe Harbor Legal Action After Jan. 31

By Matthew Broersma

Companies continuing to transfer EU individuals’ personal data to the United States under Safe Harbor rules will face legal action beginning at the end of January 2016.

This is unless a new agreement is reached between the European Union and the United States by that time, European data protection regulators have said.

The regulators are currently meeting in Brussels to discuss the implications of a decision by the European Union Court of Justice (CJEU) two weeks ago to strike down Safe Harbor, which was used by around 4,000 companies to facilitate data transfers between the two territories.

In a statement issued on Friday, they confirmed that transfers can no longer legally be carried out under Safe Harbor rules.

“Transfers that are still taking place under the Safe Harbor decision after the CJEU judgment are unlawful,” they wrote.

The European Union and the United States have been in negotiations for the past two years over a new agreement to replace Safe Harbor that would better protect data transferred to the United States, after former NSA contractor Edward Snowden provided evidence of the U.S. government’s mass data collection programs.

The question of mass data collection came up again in a data protection case brought by law student Max Schrems against Facebook, and it was this case which led to the CJEU’s decision.

The regulators emphasized that the question of mass surveillance was central to the CJEU’s decision.

Mass Data Surveillance

“The question of massive and indiscriminate surveillance is a key element of the Court’s analysis,” they stated. “It recalls that it has consistently stated that such surveillance is incompatible with the EU legal framework and that existing transfer tools are not the solution to this issue.”

The regulators called on the European Union and the United States to “urgently” work toward a new data transfer agreement, but said such an agreement must provide “stronger guarantees to EU data subjects” accompanied by “clear and binding mechanisms” and “oversight of access by public authorities.”

If no such agreement is found by the end of January, the regulators said they would consider large-scale actions to enforce data protection rules.

“If by the end of January 2016, no appropriate solution is found with the U.S. authorities and depending on the assessment of the transfer tools… EU data protection authorities are committed to take all necessary and appropriate actions, which may include coordinated enforcement actions,” they wrote.

Data Transfer Risks

The regulators noted that more specialized data transfer mechanisms called standard contractual clauses and binding corporate rules are unaffected by the court’s decision, and affirmed that data protection authorities remain free to investigate particular cases at any time.

They said information campaigns are planned at a national level to keep companies that previously relied upon Safe Harbor up to date, and insisted upon the shared responsibility of data protection authorities, EU institutions, EU member states and businesses to find “sustainable solutions” to implement the court’s judgment.

“In the context of the judgment, businesses should reflect on the eventual risks they take when transferring data and should consider putting in place any legal and technical solutions in a timely manner to mitigate those risks and respect the EU data protection acquis[iton],” the regulators stated.

The statement was issued by the Article 29 Working Party on the Protection of Individuals with regard to the Processing of Personal Data, which includes representatives from the national data protection authorities of the EU’s member states, the European data protection supervisor and the European Commission, and whose role is to coordinate the application of data protection rules across the EU.