The data protection authorities of the EU Member States, meeting in the Article 29 Working Party, of which the Spanish Data Protection Agency is a member, have just published a joint statement on the first consequences of can be extracted at European and national level following the historic ruling of the Court of Justice of the European Union (CJEU) of 6 October 2015 in the case Maximilian Schrems vs. Data Protection Commissioner (C-362-14).
In their letter, the EU data protection authorities consider that it is absolutely essential to have a solid, collective and common position on the application of the ruling. On the other hand, the Working Party will closely monitor the progress of the proceedings pending before the Supreme Court of Ireland.
First, the Working Party emphasizes that the issue of mass and indiscriminate surveillance is a key element of the Court's analysis. The Group recalls that it has repeatedly stated that this monitoring is incompatible with the EU legal framework and that existing transfer tools are not the solution to this problem. In addition, as already stated, transfers to third countries in which the powers of state authorities to access information exceed what is necessary in a democratic society will not be considered as safe destinations for transfers.
In this regard, the court ruling requires that any adequacy decision involve a broad analysis of the national laws of the recipient country of the data, as well as its commitments.
The Working Group therefore calls on the Member States and the European institutions to enter into talks with the US authorities in order to find political, legal and technical solutions that allow data transfers to US territory while respecting fundamental rights.
These solutions could be found through the negotiations of an intergovernmental agreement that provides more guarantees to those interested in the EU. The current negotiations around a new Safe Harbor could be part of the solution. In any case, these solutions should always be accompanied by clear and binding mechanisms and include, at least, obligations on the necessary monitoring of access by public authorities, on transparency, proportionality, redress mechanisms and rights set out in data protection legislation.
In the meantime, the Working Group will continue its analysis of the impact of the ECJ ruling on other transfer tools. During this period, data protection authorities consider that the Type Contractual Clauses and Binding Corporate Rules (BCRs) may continue to be used. In any case, this will not prevent data protection authorities from investigating particular cases, for example, from complaints, and exercising their powers in order to protect people.
If at the end of January 2016 an appropriate solution has not been found with the US authorities, and based on the evaluation of the transfer tools by the Working Group, the EU data protection authorities they undertake to take all necessary and appropriate measures, which may include coordinated law enforcement actions (enforcement).
With regard to the practical consequences of the judgment of the ECJ, the Working Party considers that it is clear that transfers from the European Union to the USA can no longer be framed in the European Commission's Adaptation Decision 2000/520 / EC (the so-called Safe Harbor Decision). In any case, transfers that are still taking place under the Safe Harbor Decision following the ECJ ruling are illegal.
In order to ensure that all actors are sufficiently informed, EU data protection authorities will launch appropriate information campaigns in their respective countries. This may include direct information to all companies that are known to have used the Safe Harbor Decision, as well as general messages on the authorities' websites.
In conclusion, the Working Party insists on the shared responsibilities between data protection authorities, EU institutions, Member States and companies to find sustainable solutions to implement the Court's ruling. In particular, and in the context of the ruling, companies should reflect on the possible risks they take in transferring data and consider the appropriate implementation of all legal and technical solutions to mitigate these risks and respect the Community heritage of Data Protection.
