European national data protection authorities to enforce ECJ Safe Harbour decision from 1 Feb 2016

Companies could be prosecuted following the European Court of Justice decision that Safe Harbour is invalid, from February 1 2016 according to Article 29 Working Party of European national data protection authoirities

On Tuesday 6 October the European Court of Justice dismissed so-called Safe Harbour, a system to allow US companies to process data that belongs to European citizens. According to the Article 29 Working Party of European national data protection authorities, while no action will be taken against companies now, enforcement action could begin from 1 February 2016 if there is no Safe Harbor 2.0 agreed with the US authorities by this date.

On Friday 16 October the Working Party called on the Member States and the EU institutions to continue discussions with the US authorities on negotiating a revised Safe Harbor 2.0 which will be compliant with European data protection legislation and the decision of the ECJ in the Safe Harbor case.

The ECJ invalidated the current Safe Harbor Agreement on a technical ground, but in reality the USA’s national security and intelligence services surveillance operations, as revealed by Snowden were behind the decision. For more details see here.

As pointed out in my earlier article, the problems of the USA’s national security and intelligence services surveillance operations are equally applicable to Binding Corporate Rules and model Contract Clauses.

The national data protection authorities consider that Model Contract Clauses and Binding Corporate Rules can still be used to transfer personal information to the USA, but the Working Party will continue its analysis on the impact of the ECJ decision on these transfer methods.

However, individual national data protection authorities can investigate transfers of personal information to the USA on the basis of specific complaints.

Members who currently use Safe Harbor to transfer personal information to the USA should review their use of Safe Harbor and consider the risks of transferring personal information to the USA in the light of the Snowden revelations.

They should document their thought processes in coming to a decision as to whether to put in place Model Contract Clauses or Binding Corporate rules as an interim solution.

The ICO has accepted this may take some time and therefore it is unlikely that it will take any enforcement action before 1 February 2016. However, putting your thoughts and decisions made in writing will demonstrate to the ICO that you are taking the matter seriously and not burying your head in the sand and ignoring the ECJ decision.