Out-Law / Your Daily Need-To-Know

EU regulators set three month deadline for new 'safe harbour' agreement

Out-Law News | 21 Oct 2015 | 10:40 am | 1 min. read

EU privacy watchdogs have called for EU member states and institutions to open discussions with US authorities to find "political, legal and technical" solutions to allow data transfers from the EU to the US by the end of January.

The Article 29 Working Party, which is made up of the 28 EU data protection authorities, said that EU regulators "consider that it is absolutely necessary to have a robust, collective and common position on the implementation on the judgment".

It was responding to the ruling earlier this month by the Court of Justice of the EU (CJEU) that the 'safe harbour' framework for enabling EU-US data transfers is "invalid".

Until a new agreement is reached companies can continue to use standard contractual clauses and binding corporate rules which are other recognised ways in which data can be transferred to non-EU countries to provide protection for subjects of data collection and transfer, Article 29 said.

Continued use of these data transfer mechanisms beyond the January deadline however would go against the opinion of several German regulators who told Out-Law last week that are opposed to the use of model clauses.

The working group will review the standard clauses and other tools to assess the impact of the ECJ ruling, it said. If no solution is found by the end of January 2016, the working group said that EU regulators are "committed to take all necessary and appropriate actions, which may include coordinated enforcement actions".

Any data transfers that are still taking place under the 'safe harbour' decision are unlawful, the working group said.

EU data authorities will begin national information campaigns, potentially including direct contact with companies who have previously replied on the safe harbour decision, it said.

It is the shared responsibility of data protection authorities, EU institutions, member states and businesses to find solutions to the judgment, the working party said. Businesses "should reflect on the eventual risks they take when transferring data and should consider putting in place any legal and technical solutions in a timely manner to mitigate those risks", it said.