On 6 October the European Court of Justice (CJEU) adopted a fundamental decision on transfer of personal data between the EU and the USA. In case C-362/14 Maximillian Schrems vs. Data Protection Commissioner the CJEU ruled that the Commission decision 2000/520, which states that the USA under the procedure known as “safe harbor” ensure adequate level of protection of personal data transferred, is invalid.
I don’t spend more time to talk about the details of the judgment because it has been widely reported everywhere , anyway follow this link, if you need to read the judgment
The goal of this topic is to report what were the first reactions by authorities
and what could be the impact of this decision for General Data Protection Regulation (GDPR)
The CJEU held that national supervisory authorities have the power to examine with complete independence whether the transfer of a person’s data to a third country complies with the requirements laid down by the Data Protection Directive.
Following this declaration, The Article 29 Working Party (WP29) released, on 16 October 2015, a statement following the ruling of the CJEU
the WP29 urgently calling on the Member States and European institutions to open discussions with U.S. authorities in order to find legal and technical solutions, that would enable data transfers while respecting fundamental rights. The WP29 considers that the “current negotiations around a new Safe Harbor could be part of the solution”
The WP29 has advised that while it considers the scope of the CJEU decision, “During this period, data protection authorities consider that Standard Contractual Clauses and Binding Corporate Rules can still be used”; however, this will not prevent national data protection authorities (DPAs) from investigating individual cases.
Prior to statement from the WP29, few DPAs had issued formal guidance regarding the impact of the CJEU decision, although some had released statements suggesting the continued viability of alternative legal mechanisms for EU-US data transfers.
Following these links you view the statements made by some DPA in the European jurisdictions :
As noted above, the statements provide a measure of reassurance for businesses, as it appears that, at least in the near term, companies can continue to rely upon Standard Contractual Clauses and Binding Corporate Rules as legal bases for their EU-US data transfers.
and what about the future ? what impact regards the proposed general data protection regulation (GDPR) ?
While the GDPR already includes detailed provisions governing jurisdiction and data transfers, the lack of an agreed text and the protracted timeline for implementation do not offer any immediate solutions to companies impacted by the Safe Harbour decision.
Important statement 2 days ago by EU Commissioner Věra Jourová in a speech at Strasbourg . She said that there are agreements “in principle” already in place with the U.S. Department of Commerce on a new version of Safe Harbor.
However, it was clear that there remain a number of critical negotiating points.
Jourová said there have already been “several meetings at a technical level” between the Commission and the U.S. and that she had spoken with U.S. Commerce Secretary Penny Pritzker earlier that same day of the judgment.
for reading the complete speech follow this link :
Thank you Alessandro very interesting. I am organizing in Oracle a meeting to discuss these important topic. I will make sure to let you know the exact date…. Cloud Providers are putting a lot of attention to this.
The Spanish Data Protection Authority (AEPD ) published the guidelines to companies in order to regulate the data transfer to USA.
AEPD sent a letter to all spanish companies that required to adopt BCR.
The letter informs that not later than January 29, 2016 all companies will have to adapt to following:
The transfer is made with the data subject’s unambiguous consent;
is necessary for the performance of a contract with, or in the interests of, the data subject;
results from a treaty or convention to which Spain is a party;
is necessary or legally required to safeguard public interest, provide judicial aid, medical care, or support legal claims;
is necessary to protect the vital interests of the data subject;
or is made from a public register.
I think like to Spain, other authorities will write their guideline in the coming months
Last week i was in Italian autorithy (Garante per la protezione dei dati personali) and they said me that are working to define a decision regarding the CJEU judgment . Maybe until the end of the year they will publish it