In a concise statement, the Article 29 Working Party (WP29), a consortium of European Data Protection Authorities (DPAs), released a position paper today about the landmark ruling of the European Court of Justice in Maximilian Schrems v. Data Protection Commissioner (C-362-14).
WP29 makes a political call on the EU Member States to finalize discussions with the US authorities on a political and legal solution for the transfer of personal information from the EU to the US. The solution should ensure that strong guarantees are provided to EU data subjects against US surveillance. WP29 calls on the Member States to find a solution by the end of January 2016. After this deadline, the DPAs may initiate coordinated action to enforce the ECJ’s decision and suspend data flows.
WP29 makes it clear that the ECJ’s decision is immediately effective, and companies may not rely on Safe Harbor certifications to transfer data.
Importantly, however, WP29’s statement also offers some reassurance to companies, as it clarifies the following:
- Model Contracts and BCRs are not at risk for the moment.
- It is not only for businesses to remediate the situation – responsibility lies with the EU institutions and Member States as well. In the meantime, businesses are asked to mitigate risks.
- The DPAs will monitor the litigation pending before the Irish Court, which is tasked with implementing the ECJ’s decision. In that process, there is still room for positive developments, if the Irish Court and the Irish DPA decide, for instance, that the transfer of Schrems’ data should not be suspended.
The statement of the WP29 is available at: http://www.alston.com/files/docs/wp29_statement_on_schrems_judgement.pdf