The European Commission has been working since January 2014 to make data transfers safer for European citizens on the basis of 13 recommendations. Following the Court ruling the Commission has stepped up negotiations with the US on a renewed and safe framework on transfer of personal data. The objective of the Commission is to conclude these discussions within three months.
In the meantime, companies need to comply with the ruling and rely on alternative transfer tools where available. As First Vice-President Timmermans and Commissioner Jourová had announced on the day of the judgement, the Commission today issued guidance on the possibilities of transatlantic data transfers following the ruling until a new framework is put in place. The Commission's explanatory communication analyses the consequences of the judgement and sets out the alternative mechanisms for transfers of personal data to the US. The Commission will also continue to work closely with the independent data protection authorities to ensure a uniform application of the ruling.
Vice-President Andrus Ansip, in charge of the Digital Single Market, said: "We need an agreement with our US partners in the next three months. The Commission has been asked to take swift action: this is what we are doing. Today we provide clear guidelines and we commit to a clear timeframe to conclude current negotiations. The EU and the US are each other's most important trading partners. Data flows between our continents are essential for people and businesses. While alternative tools exist, a safer new Framework is the best solution to protect our citizens and cut red tape for businesses, especially start-ups".
Commissioner Vera Jourová said: “Citizens need robust safeguards to ensure their fundamental rights are protected. And businesses need clarity during this transition period. Our aim today is to explain under which conditions businesses can lawfully transfer data in this interim period. We will also continue to work closely with national data protection authorities, who are responsible for the enforcement of data protection law in the Member States. I have stepped up talks with the US towards a renewed and sound framework for transatlantic data flows and will continue these discussions in Washington next week. Any new arrangement has to meet the requirements of the Court ruling.”
The Commission in its Communication stresses the following points:
- the Safe Harbour arrangement can no longer serve as a legal basis for transfers of personal data to the U.S.;
- the Commission will continue and finalise negotiations for a renewed and sound framework for transatlantic transfers of personal data, which must meet the requirements identified in the Court ruling, notably as regards limitations and safeguards on access to personal data by U.S. public authorities;
- other adequacy decisions will need to be amended, to ensure that Data Protection Authorities (DPAs) remain free to investigate complaints by individuals.
The Communication sets out the alternative bases for transfers of personal data to the U.S., without prejudice to the independence and powers of the DPAs to examine the lawfulness of such transfers. Businesses can currently pursue data transfers on the basis of:
- Contractual solutions: contractual rules should obligations, such as security measures, information to the data subject, safeguards in case of transfer of sensitive data etc. Model standard contractual clauses are available here.
- Binding Corporate Rules for intra-group transfers: they allow personal data to move freely among the different branches of a worldwide corporation. They have to be authorised by the DPA in each Member State from which the multinational wishes to transfer data.
- Derogations :
o Conclusion or performance of a contract [including pre-contractual situations, e.g. in order to book a flight or hotel room in the U.S., personal data may be transferred;
o Establishment, exercise or defence of legal claims;
o If there is no other ground, the free and informed consent of the individual.
On 6 October, the Court of Justice declared in the Schrems case that Commission’s Safe Harbour arrangement was invalid. The judgment confirmed the Commission's approach since November 2013 to review the Safe Harbour arrangement, to ensure in practice a sufficient level of data protection as required by EU law.
On 15 October, Vice-President Ansip, Commissioners Oettinger and Jourová met business and industry representatives who asked for a clear and uniform interpretation of the ruling, as well as more clarity on the instruments they could use to transfer data.
On 16 October, the 28 national data protection authorities (Article 29 Working Party) issued a statement on the consequences of the judgment.
For more information: