Skip to content

Brought to you by

Dentons logo

Privacy and Cybersecurity Law

Coverage and commentary on developments in data protection.

open menu close menu

Privacy and Cybersecurity Law

  • Home
  • About Us

Safe Harbor: A29 Statement Released on “What’s Next?”

By Nick Graham
October 16, 2015
  • Data Transfers
  • Enforcement
  • Europe
Share on Facebook Share on Twitter Share via email Share on LinkedIn

The Article 29 Working Party has, today, published its Statement following the Safe Harbor decision last week. It’s been confirmed that Model Contracts (a.k.a. Standard Contractual Clauses) and Binding Corporate Rules can still be used.

The DPAs also say that “it is absolutely essential to have a robust, collective and common position on the implementation of the judgement”. Similarly, Giovanni Buttarelli, European Data Protection Supervisor said he was “largely optimistic” (as just reported by the IAPP) about the future of cross‑border data transfers with the US.

Further, the Working Party is urgently calling on member states and EU institutions to open discussions with the US authorities to find political, legal and technical solutions to enable data transfers to the US. Clearly this is key.

Confirmation on Safe Harbor

As per last week’s Court Decision, Safe Harbor is invalid: No news here!

Can alternative transfer tools be used?

Yes! The Working Party says that Standard Contractual Clauses and Binding Corporate Rules can still be used. This was the line taken by the ICO last week.

However, pending agreement of upgraded arrangements for data transfer with the US, the Working Party says it will continue “its analysis on the impact of the CJEU judgment on other transfer tools”.  If, by the end of January 2016, no solution is found with the US authorities and, depending on the assessment of other transfer tools by the Working Party, the EU DPAs are “committed to take all necessary and appropriate actions, which may include coordinated enforcement actions”.

This sounds like a grace period until the end of January for those who previously used Safe Harbor while retaining local DPAs rights to investigate and exercise powers based on particular concerns or complaints. Clearly, that will depend on local regulatory policy and culture.

A new deal with the US?

It’s clear from the Statement today that the Working Party follows the Court view on mass surveillance and compatibility with EU law. The Working Party is saying that a new deal with the US would involve political, legal and technical solutions in order to secure respect for fundamental rights (i.e., data protection). It also suggests that solutions could be found through the negotiation of an intergovernmental agreement that provides stronger guarantees for EU data subjects. So this is a broader issue that the current negotiations around a new Safe Harbor 2.0 although that could be “a part of the solution”. The Working Party is likely also looking for new law on oversight of surveillance and EU citizens’ data rights as minimum requirements.

What do we make of this?

The Statement is clearly the result of competing views on what should happen next. It gives a clear statement that Model Contracts and BCRs can still be used (good news). But it is a complicated picture. However, this doesn’t change our earlier recommendation that companies should identify data flows previously covered by Safe Harbor, assess the priority level and consider implementing one of the other solutions. Much will depend on the nature of your business, the data being transferred and the regulatory risk in particular jurisdictions in order to best assess next steps.

Share on Facebook Share on Twitter Share via email Share on LinkedIn
Subscribe and stay updated
Receive our latest blog posts by email.
Stay in Touch
Nick Graham

About Nick Graham

Nick Graham is the Global Co-Chair of Dentons' Privacy and Cybersecurity Group. He specialises in data privacy, cybersecurity, information governance. Nick advises across all sectors including retail, telecoms, energy, manufacturing, banking, insurance, transport, technology and digital media.

All posts Full bio

RELATED POSTS

  • Canada
  • Enforcement
  • Marketing, Cookies & Spam

Enforcement Notice: First text message case under CASL

By Karl Schober
  • Consumer Protection
  • Data Breach
  • Data Transfers
  • Employee Privacy
  • Health Information Privacy
  • Privacy Rights
  • United States

FBI Warns Cyber Criminals Are Targeting Unsecured FTP Servers In The Healthcare Industry

By Peter Stockburger
  • Data Transfers
  • Europe
  • United Kingdom
  • United States

International data transfers in the post-Schrems II reality

By Todd Daubert, Simon Elliott, Marc Elshof, Nick Graham, Tatiana Kruse, Giangiacomo Olivi, and Christian Schefold

About Dentons

Dentons is the world’s largest law firm, delivering quality and value to clients around the globe. Dentons is a leader on the Acritas Global Elite Brand Index, a BTI Client Service 30 Award winner and recognized by prominent business and legal publications for its innovations in client service, including founding Nextlaw Labs and the Nextlaw Global Referral Network. Dentons’ polycentric approach and world-class talent challenge the status quo to advance client interests in the communities in which we live and work. www.dentons.com.

Dentons Digital

Twitter

Categories

  • Accountability
  • Canada
  • Cloud Computing
  • Consumer Protection
  • Cybersecurity
  • Data Breach
  • Data Transfers
  • Employee Privacy
  • Enforcement
  • Europe
  • General
  • Government Information
  • Health Information Privacy
  • Marketing, Cookies & Spam
  • New and Proposed Laws
  • Privacy Rights
  • Record Retention
  • Smart Cities
  • United Kingdom
  • United States

Subscribe and stay updated

Receive our latest blog posts by email.

Stay in Touch

Dentons logo

© 2021 Dentons

  • Legal notices
  • Privacy policy
  • Terms of use
  • Cookies on this site