On 14 July 2014 the European Data Protection Supervisor (EDPS) issued a position paper providing guidance to EU institutions and bodies on the transfer of personal data to third countries, in light of the provisions laid down in Regulation (EC) No 45/2001. The position paper represents a useful tool on how to interpret some of those provisions when personal information is transferred outside the EU or to bodies not subject to EU law. The position paper is complemented by a practical checklist which allows EU institutions and bodies to follow a certain course of action before international transfer(s) take place and in order to ensure compliance with EU law.
According to the European Court of Justice’s invalidation of the Safe Harbour mechanism, which allowed the transfer of personal data to U.S. companies certified under the Safe Harbour Program, it is no longer possible to transfer data to the U.S. based on the above mentioned Agreement.
In November 2015, the Spanish Data Protection Agency (AEPD) sent a letter to all companies that operate in Spain and had previously notified the AEPD of cross-border data transfers to Safe Harbour certified companies. This communication outlined that Safe Harbour certifications were no longer valid. In this regard, the AEPD stated that companies must implement other mechanisms to continue transferring data under the aforementioned Program. In particular, the AEPD is requiring the companies to inform not later than January 29, 2016 of any mechanisms that have been implemented to ensure adequate protections for personal data transferred to importers in the United States.
Finally, last December, the AEPD issued a new communication on the implementation of the judgment of Safe Harbour which is the object of analysis in the assessment.
On November 19, 2015, the French Data Protection Authority (CNIL) published a guidance, including a set of frequently asked questions, to assist companies that are transferring personal data to the U.S. pursuant to the Safe Harbor framework.
The CNIL clarified that the DPAs are still analysing the impact of the CJEU ruling on BCRs and EU Model Clauses, but have decided to allow companies to rely on them temporarily. In addition, in order to speed up the process, the French Data Authority pointed out that EU Model Clauses are the most suitable mechanism, since personal data must be protected immediately and the implementation of BCRs takes several months.
The guidance does not make any reference to other data transfer mechanisms in particular, to derogations (such as data subject consent), which always has been narrowly interpreted by the CNIL.
Besides, the CNIL stated that companies must amend their existing reports by the end of January 2016 to either declare that their data transfers to the U.S. have ceased, or even to specify that the data transfers will be based on another data transfer mechanism (EU Model Clauses).
Finally, the CNIL specified that in the absence of a Safe Harbour 2.0 for the beginning of next year, the European DPAs would assess the possibility of using their enforcement powers to suspend or forbid data transfers to the U.S.
On 22 October 2015, the Italian Data Protection Authority (GDPD) issued a provision following the recent judgment of the Court of Justice of the European Union in the case Schrems v. Facebook, which declared invalid the system set up under the Safe Harbour.
As a direct consequence, the GDPD has explicitly forbidden any data transfer between both countries. Thus, it might carry out inspections on the transfer at any time and, if necessary, to adopt effective measures provided under the Italian Data Protection Code. Besides, the implementation of other alternatives is encouraged in order to ensure compliance with the Italian regulations on the protection of personal data.
Finally, GDPD suggested some instruments to lawfully transfer the data of Italian citizens, i.e. Standard Contractual Clauses (SCC), Binding Corporate Rules (BCC) or the consent of data subjects.
The Hamburg Commissioner for Data Protection and Freedom of Information recently released a statement regarding the judgment of the European Court of Justice on the Safe Harbour scheme in the case Schrems v. Facebook. This statement provides useful guidelines and instructions addressed to businesses and practitioners on how the judgment should be interpreted and on the next steps this supervisory authority will take in order to ensure compliance with the ruling.
On 16 October 2015 the Article 29 Working Party issued a statement on the recent ruling of the Court of Justice of the EU in Schrems v. Facebook. Although the tone of the statement is quite general, it reflects the positions and views of European DPAs on the transfer of personal data to the US and on the consequences of the judgment. Moreover, apart from illustrating the next steps European institutions should take in their negotiations with the US, this statement provides a few guidelines for European businesses that would allow them to implement the Court’s judgment.
Analytical evaluation of information systems gives rise to recordsPosition Paper of the ULD on the judgment of the Court of Justice of the European Union of 6 October 2015, Schrems v. Facebook (C-362/14)
On 14 October 2015 the DPA of the German state of Schleswig-Holstein issued a position paper commenting on the judgment of the Court of Justice of the EU in the case Schrems v. Facebook. Although the position paper reflects the stance of this DPA exclusively and has limited reach, it contains interesting arguments which criticise the views of the European Commission on the transfer of personal data to the US. According to the DPA data protection standards in the US are inadequate to protect EU citizens and data transfer mechanism other than the Safe Harbour will pose the same problems raised by the Court of Luxembourg in Schrems v. Facebook.
In the wake of the judgment of the European Court of Justice on the Safe Harbour scheme in the case Schrems v. Facebook German federal and state data protection authorities gathered together and issued a joint position paper. Their common position follows the judgment and views expressed by the Court of Luxembourg. In addition, it sheds light on some key aspects of the ruling and on its interpretation by DPAs, governmental authorities and private companies.