Following the striking-down of the existing 15-year-old Safe Harbor framework by the European Court of Justice, that’s the deadline given - and the threat implied - by the Article 29 Working Party, which represents the data protection and privacy regulators of all the 28 EU member state, following a meeting in Brussels on Friday.
The US and the EU have been trying to put the building blocks of a new agreement to replace the Safe Harbor, for the past two years, with little sign of success. Now the clock is ticking.
The initial response from both cloud providers and Brussels was to point to so-called model clauses as a viable work-around for the time being, but these in turn have been questioned by legal experts and by German data protection authorities.
Specifically the German authorities issued a position paper stating that model contractual clauses are not a reliable a tool to transfer personal data from Europe to the US and data exporters should suspend such transfers under the model contracts.
There had been concern that the Article 29 Working Party would follow suit, but in the event, its ruling was effectively to pause for thought. The Working Party calls for:
- A robust, collective and common position on the implementation of the Schrems judgment, which brought down Safe Harbor.
- Member States and the European institutions to open discussions with US authorities to find political, legal and technical solutions enabling data transfers that respect the fundamental rights of European citizens.
- Continuing analysis on the impact of the judgment on other transfer tools.
- Data protection authorities to consider that Standard Contractual Clauses and Binding Corporate Rules can still be used, with the proviso that this does not prevent local data protection authorities investigating particular transfers.
But it goes on to state that if a solution isn’t found by the end of January 2016, then:
EU data protection authorities are committed to take all necessary and appropriate actions, which may include coordinated enforcement actions.
It also calls on businesses to reflect on the risks they take when transferring data and consider putting in place any legal and technical solutions in a timely manner to mitigate those risks and respect EU data protection laws.
But it is unequivocal in its insistence that Safe Harbor, in its original form, is dead and staying dead and plans to make sure that everyone knows it:
Regarding the practical consequences of the CJEU judgment, the Working Party considers that it is clear that transfers from the European Union to the United States can no longer be framed on the basis of the European Commission adequacy decision 2000/520/EC (the so-called “Safe Harbour decision”). In any case, transfers that are still taking place under the Safe Harbour decision after the CJEU judgment are unlawful.
In order to ensure that all stakeholders are sufficiently informed, EU data protection authorities will put in place appropriate information campaigns at national level. This may include direct information to all known companies that used to rely on the Safe Harbour decision as well as general messages on the authorities’ websites.
Pause for thought?
Ross McKean, partner and head of the data protection practice at the international TMT law firm Olswang, reckons the outcome is the best that could be hoped for:
The Commission has been caught unprepared for the consequences of the Safe Harbor ruling which left Europe’s data protection authorities in a difficult position. There will have been intense debate over the last week in the Article 29 Working Party reflecting widely diverging views among Member State authorities. This was far from a straightforward task, and today’s opinion should be welcomed for enabling ongoing data transfers, whilst preserving the right for individual Member States to investigate particular transfers.
But he adds:
We certainly aren’t out of the woods yet. Some Member States have already taken a much more restrictive approach to transfer and last week’s ruling is fodder for follow-on litigation by privacy activists, disgruntled employees and consumers. Organisations need to assess their exposure and make sure that their transfer solutions still work.
The Working Party has added to the pressure on the Commission and Member State governments to reach agreement with the US on a longer term legal solution to this problem by imposing a deadline of the end of January 2016 after which they threaten “coordinated enforcement action”.
Meanwhile the US enterprise B2B cloud industry remains essentially tight-lipped, with the notable exception of CA Technologies which has taken a welcome leadership position.
Following talks with European Commission Vice-President Ansip and Commissioners Jourova and Oettinger, Sharyn Dodson, CA Technologies EMEA privacy officer, said that the meeting was “very constructive” and pointed to her firm's own use of Binding Corporate Rules (BCR) for data controllers. But she added:
This is not a short term fix though for organizations that do not currently use BCRs. We will be looking to use standard contractual clauses at least in the short term but like all organizations this will take some time to fully implement. In the longer term business has to be able to rely on mechanisms and CA Technologies, like other organizations, will assess, and look to adopt, the best methods for transfer of data to deliver stability and consistency across Member States.
Many companies however, especially smaller ones, have more difficulties in switching to other legal instruments. We think guidance from the European Commission and the Article 29 Working Party would be beneficial to reduce the legal uncertainty that currently exists.
Both sides better get their heads down pretty fast. Some German data protection authorities are insisting that the only way out of this mess is for the US to rewrite its own data protections laws. That sort of rhetoric isn't going to help and will only create resistance in the US, particularly in an election year. Let's hope saner voices prevail on both sides of the Pond.