On 6 October the European Court of Justice (CJEU) adopted a fundamental decision on transfer of personal data between the EU and the USA. In case C-362/14 Maximillian Schrems vs. Data Protection Commissioner the CJEU ruled that the Commission decision 2000/520, which states that the USA under the procedure known as “safe harbor” ensure adequate level of protection of personal data transferred, is invalid.
I don’t spend more time to talk about the details of the judgment because it has been widely reported everywhere , anyway follow this link, if you need to read the judgment
The goal of this topic is to report what were the first reactions by authorities
and what could be the impact of this decision for General Data Protection Regulation (GDPR)
The CJEU held that national supervisory authorities have the power to examine with complete independence whether the transfer of a person’s data to a third country complies with the requirements laid down by the Data Protection Directive.
Following this declaration, The Article 29 Working Party (WP29) released, on 16 October 2015, a statement following the ruling of the CJEU
the WP29 urgently calling on the Member States and European institutions to open discussions with U.S. authorities in order to find legal and technical solutions, that would enable data transfers while respecting fundamental rights. The WP29 considers that the “current negotiations around a new Safe Harbor could be part of the solution”
The WP29 has advised that while it considers the scope of the CJEU decision, “During this period, data protection authorities consider that Standard Contractual Clauses and Binding Corporate Rules can still be used”; however, this will not prevent national data protection authorities (DPAs) from investigating individual cases.
Prior to statement from the WP29, few DPAs had issued formal guidance regarding the impact of the CJEU decision, although some had released statements suggesting the continued viability of alternative legal mechanisms for EU-US data transfers.
Following these links you view the statements made by some DPA in the European jurisdictions :
As noted above, the statements provide a measure of reassurance for businesses, as it appears that, at least in the near term, companies can continue to rely upon Standard Contractual Clauses and Binding Corporate Rules as legal bases for their EU-US data transfers.
and what about the future ? what impact regards the proposed general data protection regulation (GDPR) ?
While the GDPR already includes detailed provisions governing jurisdiction and data transfers, the lack of an agreed text and the protracted timeline for implementation do not offer any immediate solutions to companies impacted by the Safe Harbour decision.