Tag Archives: international coordination

Agencia Española de Protección de Datos (AEPD)

New communication from the AEPD for the implementation of the judgment of Safe Harbour

According to the European Court of Justice’s invalidation of the Safe Harbour mechanism, which allowed the transfer of personal data to U.S. companies certified under the Safe Harbour Program, it is no longer possible to transfer data to the U.S. based on the above mentioned Agreement.

In November 2015, the Spanish Data Protection Agency (AEPD) sent a letter to all companies that operate in Spain and had previously notified the AEPD of cross-border data transfers to Safe Harbour certified companies. This communication outlined that Safe Harbour certifications were no longer valid. In this regard, the AEPD stated that companies must implement other mechanisms to continue transferring data under the aforementioned Program. In particular, the AEPD is requiring the companies to inform not later than January 29, 2016 of any mechanisms that have been implemented to ensure adequate protections for personal data transferred to importers in the United States.

Finally, last December, the AEPD issued a new communication on the implementation of the judgment of Safe Harbour which is the object of analysis in the assessment.


Weltimmo, Schrems and the reinforcement of cooperation between European data protection authorities

Maciej Kawecki, Bureau of the Inspector General for Personal Data Protection, Poland
Dariusz Kloza, Vrije Universiteit Brussel, Belgium

Cranes in St. Helier, Søren Øxenhave via Flickr (CC BY-ND 2.0)

While the work on the General Data Protection Regulation slowly comes to an end, recently causing both self-reflection and worldwide heated debates on its prospects, there is no doubt two particular judgments of the Court of Justice of the European Union from October 2015 gained no less attention. Obviously we have in mind judgements in widely-debated Schrems and in yet-not-so-popular Weltimmo cases, whose influence on the regulation of personal data protection in Europe and beyond is unprecedented. This influence is at least twofold.

First, both judgments have abruptly changed the landscape of cross-border data protection relationships. In Schrems, the Court annulled Commission’s Decision of 26 July 2000 on the adequacy of the protection provided by the safe harbour privacy principles. This has forced the majority of American data controllers, who had self-certified to the US Department of Commerce their adherence to these principles, to search for another premise for transfers of personal data, such as binding corporate rules, model contractual clauses or simply individual’s consent. In Weltimmo, the Court – ‘in construing the coordinates of human rights protection in the digital age’ (as Zanfir puts it) – has further extended the range of competences of national supervisory authorities. They are now authorised, so to speak, to exercise supervisory powers over even those data controllers and processors who do not fall into their territorial jurisdiction due to lack of a ‘registered office or branch’ therein, but exercise ‘through stable arrangements in the territory of that Member State, a real and effective activity’ (§41).

Second, although this will not be any obvious conclusion from reading the respective texts of these judgments, these two cases have reinforced cooperation between European data protection authorities. This development particularly interests the PHAEDRA project consortium.


In Weltimmo, the Court made one of not-so-many such strong interpretations of Article 28(6) of Directive 95/46 (i.e. ‘supervisory authorities shall cooperate…’). The judges in Luxembourg argued that cooperation is ‘necessary in order to ensure the free flow of personal data in the European Union, whilst ensuring compliance with the rules aimed at protection of personal data of natural persons’ (§53) and even spoke about ‘the duty of cooperation laid down in Article 28(6)’ (§57; emphasis ours). But what struck our attention is that the Court not only made a distinction between investigative and adjudicative/enforcement jurisdictions (see the writings of Svantesson on this matter), but also reaffirmed that enforcement cooperation is an obligation. A supervisory authority ‘may exercise its investigative powers irrespective of the applicable law and before even knowing which national law is applicable to the processing in question’ (§57). However, in case ‘the law of another Member State is applicable, [the authority] […] must […] request the supervisory authority of that other Member State to establish an infringement of that law and to impose penalties if that law permits’ (§57; emphasis ours).

A reader would easily note the term ‘must’ was used in the context of the ‘duty of cooperation’. The fulfilment thereof, in the still-old regime of Directive 95/46, is rather problematic. The list of troubles is long, but one of the most pertinent is the absence of explicit and detailed legal provisions on cooperation at the European Union level or at a domestic one. Can supervisory authorities rely solely on Article 28(6)? This question should rather be rephrased as whether this provision had a vertical direct effect. Were it found unconditional, sufficiently clear and precise, its direct applicability could mean, inter alia, that an authority from one Member State must request its counterpart from another Member State to cooperate on a cross-border case and the latter must not refuse. (The Weltimmo decision tends to confirm so. The judgement concludes with a sentence that a supervisory authority ‘should […] request the supervisory authority within the Member State whose law is applicable to act’.) Or, speaking more bravely, a data subject might demand her supervisory authority to cooperate with the counterpart of the latter and none of them might refuse either.


Few readers would disagree that the Schrems judgment does not concern any aspect of cooperation between supervisory authorities. Yet, its ramifications simply constitute another impeccable example of the need to cooperate between supervisory authorities on a “general” or “abstract” level. (While in Weltimmo we analysed enforcement cooperation, this does not exhaust the range of cooperation activities supervisory authorities may engage in.) After each important data protection judgement arriving from Luxembourg – be it Digital Rights Ireland, Costeja or Schrems – the necessity to develop a common position both on the forum of the Article 29 Working Party and by all and every supervisory authority forced them to act. Concerning the latest ruling, in its statement of 16 October 2015 the Working Party directly indicated ‘it is absolutely essential to have a robust, collective, and common position on the implementation of the judgment’ (emphasis ours). A reader would easily note a plea for more unity.


Weltimmo and Schrems judgements are yet another set of decisions that have unprecedented consequences for the data protection landscape in Europe and beyond. The former case underlined both the significance of enforcement cooperation and the duty to cooperate between supervisory authorities. The consequences of the latter case once again forced these authorities to speak with one voice. In our opinion, both judgements reinforced cooperation mechanisms and pleaded towards their efficiency. Using the narrative of human rights, such efficiency is a means of practical and effective protection of personal data. What is now left on the agenda is to ensure efficiency of cooperation between supervisory authorities under the future regime of General Data Protection Regulation. Weltimmo and Schrems remain instructive here.

Commission Nationale de l’Informatique et des Libertés (CNIL)

French Data Protection Authority publishes a Guidance and FAQs on Safe Harbour

On November 19, 2015, the French Data Protection Authority (CNIL) published a  guidance, including a set of frequently asked questions, to assist companies that are transferring personal data to the U.S. pursuant to the Safe Harbor framework.

The CNIL clarified that the DPAs are still analysing the impact of the CJEU ruling on BCRs and EU Model Clauses, but have decided to allow companies to rely on them temporarily. In addition, in order to speed up the process, the French Data Authority pointed out that EU Model Clauses are the most suitable mechanism, since personal data must be protected immediately and the implementation of BCRs takes several months.

The guidance does not make any reference to other data transfer mechanisms in particular, to derogations (such as data subject consent), which always has been narrowly interpreted by the CNIL.

Besides, the CNIL stated that companies must amend their existing reports by the end of January 2016 to either declare that their data transfers to the U.S. have ceased, or even to specify that the data transfers will be based on another data transfer mechanism (EU Model Clauses).

Finally, the CNIL specified that in the absence of a Safe Harbour 2.0 for the beginning of next year, the European DPAs would assess the possibility of using their enforcement powers to suspend or forbid data transfers to the U.S.

Garante per la Protezione dei Dati Personali

Decision on Data Transfers to the USA: the “Safe Harbor” Authorisation is Invalid

On 22 October 2015, the Italian Data Protection Authority (GDPD) issued a provision following the recent judgment of the Court of Justice of the European Union in the case Schrems v. Facebook, which declared invalid the system set up under the Safe Harbour.

As a direct consequence, the GDPD has explicitly forbidden any data transfer between both countries. Thus, it might carry out inspections on the transfer at any time and, if necessary, to adopt effective measures provided under the Italian Data Protection Code. Besides, the implementation of other alternatives is encouraged in order to ensure compliance with the Italian regulations on the protection of personal data.

Finally, GDPD suggested some instruments to lawfully transfer the data of Italian citizens, i.e. Standard Contractual Clauses (SCC), Binding Corporate Rules (BCC) or the consent of data subjects.

Autoriteit Persoonsgegevens

CBP Signs agreement GPEN alerting system

The Dutch Data Protection Authority (CBP) has a cooperation agreement (Memorandum of Understanding, or MoU) with seven other privacy regulators for exchange of information in GPEN Alert System. Through this system, data protection authorities worldwide, monitor and exchange information on cases if there are cross-border issues.

The system allows sharing on information investigations, but also of signals that may be relevant to other regulators. Each supervisor decides what to share based on the laws in force in their country.

The seven regulators are the CBP, the US Federal Trade Commission (who developed the system for GPEN), as well as the privacy authorities of Australia, Canada, Ireland, New Zealand, Norway and the United Kingdom.