As has been widely reported, the US Safe Harbor data transfer framework is dead.
However, its successor has yet to be anointed. We are inter regnum and the winds of uncertainty swirl through the otherwise subdued halls of data privacy.
What now is a data privacy officer to do? The best advice: be on guard; and read on.
In response to the European Court of Justice ruling in the Schrems case – which delivered the coup de grace to a system inevitably wounded by the Snowden revelations – EU’s Data Protection Authorities (DPAs) met in the excitingly named Article 29 Working Party (the “A29WP”).
On October 16th, the A29WP said this:
• Transfers taking place under the Safe Harbor Framework alone are unlawful
• That it was essential for the EU DPAs to have a “robust, collective and common position” on the Schrems judgement
• Mass indiscriminate surveillance is incompatible with the EU legal framework
• There is a need for an intergovernmental solution to the EU/US data transfer problem
• EU Model Clauses and Binding Corporate Rules can still be used for US data transfers while the A29WP analyses the impact of the Schrems judgement on them
• Other forms of data transfer can be investigated by local DPAs on an individual basis
• If by end of January 2016 no intergovernmental solution has been found, EU DPAs are committed to taking all appropriate actions to protect the data of individuals, including co-ordinated enforcement actions
• Meanwhile businesses should urgently consider putting in place any legal and technical solutions necessary to mitigate the risk of breaches of EU data protection principles.
In any event, the whole EU data protection framework is under review and what eventually arrives next year will no doubt place more onerous obligations on business.
So, the best advice now is to be clear about your own data flows and your current data compliance approach and develop a plan that anticipates the new, not so Safe Harbor world.