European member states and European institutions must urgently open discussions with US authorities to resolve data transfer issues thrown up by the CJEU ruling on Safe Harbour.
That's according to a statement from the Article 29 Working Party of the European Commission, established under Directive 95/46/EC in October 1995 to advise on the protection of individuals' personal data and the free movement of such data.
It warns that if a solution is not found by the end of January 2016, “EU data protection authorities are committed to take all necessary and appropriate actions, which may include coordinated enforcement actions”.
The statement is in response to the landmark ruling of the Court of Justice of the European Union (CJEU) regarding the case of Maximilian Schrems v Data Protection Commissioner of Ireland.
The CJEU ruling fatally wounded Safe Harbour, the common name for the European Commission adequacy decision 2000/520/EC in 2000.
The CJEU ruled that the Safe Harbour agreement – by which data on EU citizens was allowed to be exported to the US provided the data processor self-certified that it was in compliance with EU data protection legislation – failed to provided adequate protections for EU citizens from US surveillance activities, making it illegal under the Charter of Fundament Rights (CFR).
Documents leaked by Edward Snowden nearly three years ago revealed that US companies such as Facebook, Google and Microsoft were compelled to allow the NSA spy agency to access EU citizens' personal data under a programme called PRISM.
Following Snowden's revelations, the European Commission in November 2013 issued 13 recommendations to restore trust in Safe Harbour and make it safer.
Despite these assurances, Safe Harbour failed to provide EU citizens with sufficient protections and right of redress, according to the CJEU.
The Working Party suggests various solutions to re-open the data channels between the EU and US, including the negotiation of a new Safe Harbour agreement.
“The current negotiations around a new Safe Harbour could be a part of the solution,” the Working Party statement says. “In any case, these solutions should always be assisted by clear and binding mechanisms and include at least obligations on the necessary oversight of access by public authorities, on transparency, on proportionality, on redress mechanisms and on data protection rights.”
According to Max Schrems, the Austrian law student who brought the case, while the European authorities may wish to pursue this angle, it's unlikely that the US government will be able or willing to limit surveillance laws sufficiently to comply with the CFR's right to privacy. “To come up with effective judicial protection for non-US persons seems politically impossible, as this was not even possible for US citizens. Even the attempt to enact a Judicial Redress Act and the proposed “Umbrella Agreement” show that that the two sides can only reach agreement for very limited safeguards, that are far from what the CJEU now requires,” Schrems wrote.
There are other avenues apart from Safe Harbour which can be used to authorise transatlantic data transfers. Standard contractual clauses (SCC) and binding corporate rules (BCR) are commonly used not just between the US and EU but also between the EU and other non-EU countries.
These are likely to be sufficient for companies which are not involved in PRISM or other mass surveillance programmes.
EU data protection authorities will put in place information campaigns at national level to ensure that organisations for which the ruling is relevant are made aware of the changes.