More German regulators oppose model clauses for EU-US data transfers. On Wednesday, Out-Law.com reported that The Independent Centre for Privacy Protection in the state of Schleswig-Holstein in Germany had called on businesses relying on European Commission-approved model contract clauses to transfer personal data from the EU to the US to terminate or suspend those arrangements.
The watchdog said it was its view that EU-US data transfers facilitated by the use of model clauses fail to comply with EU law. The opinion was outlined in light of the ruling last week by the Court of Justice of the EU (CJEU) that the 'safe harbour' framework for enabling EU-US data transfers is "invalid". Using the model clauses in contracts is an alternative to engaging with the safe harbour regime. However, the Schleswig-Holstein authority cast doubt on whether companies can rely on model clauses to comply with EU data protection rules when transferring personal data from the EU to the US. Why model clauses and BCRs will also be in question if CJEU quashes EU-US data transfers safe harbour.
It is anticipated that the Court of Justice of the EU (CJEU) will quash a 'safe harbour' regime that supports EU-to-US data transfers amidst concerns with US surveillance practices and how that impacts on EU citizens' privacy rights.
Fears that US law enforcement and intelligence agencies engage in mass surveillance activities prompted an advisor to the CJEU to last month deem the safe harbour regime incompatible with EU data protection laws. However, if the CJEU confirms that finding on Tuesday it is likely that other legal tools, beyond safe harbour, which organisations rely on to transfer personal data from the EU to the US will come in for scrutiny too. That prospect creates uncertainty for businesses that, until now, will have believed the data transfer arrangements they have in place meet the standards required by EU law.
Concern over EU-US data transfers The advocate general's opinion The potential impact of the ruling Such scrutiny might be initiated at EU level. EU-US data transfers 'invalid' if made under 'safe harbour' regime, rules EU court. The Court of Justice of the EU (CJEU) said the 'safe harbour' regime does not provide adequate data protection, as required by EU law when personal data is sent outside of the European Economic Area.
The ruling means that thousands of businesses will have to find alternative ways of transferring personal data between the EU to the US to remain compliant with EU data protection rules. Information law expert Marc Dautlich of Pinsent Masons, the law firm behind Out-Law.com, said: "The judgment means there is greater uncertainty for US businesses that have relied on adopting the safe harbour standards for meeting the requirements of EU data protection laws on data transfers. A new Safe Harbour Agreement is in the pipeline but, as this ruling makes clear, it will no longer be binding on data protection authorities, opening up the prospect that businesses' EU-US data transfer arrangements will be scrutinised in more detail in future. " The CJEU's safe harbour ruling – the questions and answers in the aftermath. The judgment by the Court of Justice of the EU has created uncertainty for businesses.
Companies want to know how the judgment will affect them, what actions, if any, they need to take, and what steps are being taken by the EU institutions and regulators to help them continue transferring personal data in a way that complies with EU data protection laws. Q: Reports so far have varied on how serious the implications of the judgment are at a practical level for companies. What will be the immediate impact on them? A: If they are themselves using safe harbour, they should urgently review the position, and consider other mechanisms that enable data transfers as an alternative, for example EU model contract clauses. If their suppliers or business partners are using safe harbour, the customer organisation should be urgently seeking an update from their supplier or business partner as to what alternative mechanism they are proposing to put in place, and when. EU court ruling outlines which countries' data protection laws apply to businesses with...