4 points on what WP29’s statement on the Schrems ruling means for business


26 Oct 2015

Mason Hayes and Curran looks at the statement published by the EU’s body of data protection regulators following the recent ruling in the Max Schrems case.

The Article 29 Working Party (WP29) – the collective body all of EU data protection regulators (DPAs) – has published a statement in reaction to the recent Schrems judgment. With the Schrems ruling triggering the end of the EU-US Safe Harbour arrangement, WP29 has called on DPAs to inform stakeholders and assist companies with ongoing compliance.

The WP29 has confirmed that both the European Commission Standard Contractual Clauses and Binding Corporate Rules remain valid methods to transfer data to the US. However, DPAs may commence concerted investigation and enforcement in early 2016. We take a look at four points to note from this statement.

1. Implementing the judgment

WP29 has reiterated the need for EU data protection authorities’ to have a “robust, collective and common position” to successfully implement the Schrems judgment. The statement adopts the position that the core element to the Schrems decision was the issue of massive and indiscriminate surveillance – something WP29 has previously stated is incompatible with EU law.

In light of the Schrems decision, the WP29 has called on member states and EU institutions to enter discussions with the US with the aim of finding political, technical and legal solutions to enable data transfers, while respecting fundamental rights. Current draft US legislation may play a part here, and Safe Harbour 2, if agreed, could also be part of the solution. However, WP29 stresses the need for “clear and binding mechanisms”, as well as “obligations on the necessary oversight of access by public authorities, on transparency, on proportionality, on redress mechanisms and on data protection rights”.

2. Alternative transfer tools

In response to questions and concerns arising since SchremsWP29 has confirmed that the European Commission Standard Contractual Clauses and Binding Corporate Rules can still be used to validate data transfers outside the EEA. However, this will not preclude regulators from conducting investigations and enforcement action in specific cases, such as arising where complaints are filed. WP29 has signalled that it intends to undertake a review of transfer mechanisms following the court’s judgment.

3. Enforcement

In light of Schrems, transfers of personal data to the US can no longer be based on Safe Harbour. According to WP29, coordinated enforcement action arising out of such transfers may begin by the end of January 2016. How such enforcement will play out depends largely on whether a sustainable solution with the US is found and also relies on the result of WP29’s review of available transfer mechanisms.

4. Awareness

Given the degree of uncertainty affecting many companies following Schrems, particularly those previously reliant on Safe Harbour, EU data protection regulators will make a concerted effort to advise and inform stakeholders. In particular, they will work to assist companies in avoiding potential future liability. These campaigns will include direct contact with companies who currently rely on the Safe Harbour scheme. DPAs will also supply online notices via their respective websites.

WP29 advises that companies need to be aware of the “eventual risks” they take when transferring data outside the EEA and notes that companies should consider putting in place any legal and technical solutions in a timely manner to mitigate those risks and respect fundamental rights.

Conclusion

This statement has brought some additional clarity to the uncertainty many companies faced in the wake of the Schrems decision. Given the views of the WP29, companies should ensure that their data exports to the US (and other jurisdictions outside the EEA) are based on valid mechanisms. Given WP29’s stated aim of beginning investigation and enforcement actions in early 2016, companies that were previously Safe Harbour registered should now review how they export personal data to the US.

The content of this article is provided for information purposes only and does not constitute legal or other advice.

Tech Law is a weekly series brought to you by Irish law firm Mason Hayes & Curran, whose legal tech team advises the world’s top social media organisations and emerging start-ups. Check out www.mhc.ie for more.

Want stories like this and more direct to your inbox? Sign up for Tech Trends, Silicon Republic’s weekly digest of need-to-know tech news.

 Main image via Shutterstock