On October 26, 2015, EU Commissioner Jourová, responsible for data protection, delivered before the European Parliament a speech on the implications of the Schrems ruling (C‑362/14) by the Court of Justice of the EU, which declared as “invalid” the Safe Harbor Decision (European Commission’s Decision 2000/520/EC of 26 July 2000 “on the adequacy of the protection provided by the safe harbor privacy principles and related frequently asked questions issued by the US Department of Commerce”).
In her speech, Commissioner Jourová is hinting at the type of changes to the Safe Harbor that the EU Commission is trying to achieve in the ongoing negotiations with the U.S. authorities, in the wake of Schrems.
First, the EU Commission is not trying to have the U.S. adopt data protection rules identical to those in force in the EU. The U.S. legal system must offer safeguards that are globally equivalent to the ones of the EU. These safeguards do not necessarily need to be identical.
Second, a system such as the Safe Harbor that is based on “self-certification” is acceptable provided there are “effective detection and supervision mechanisms.” The old, purely self-regulating system will be transformed into an oversight system that is more responsive and proactive. It will give national data protection authorities a more active and visible role. Enforcement will have to be effective, with deterring sanctions.
Third, the adequacy decision will be periodically reviewed in light of developments of how Safe Harbor works in practice. An annual joint review mechanism will cover all aspects of the functioning of the new framework, including the use of exemptions for law enforcement and on national security grounds.
Fourth, intervention of public authorities, in particular for reasons of law enforcement and national security, will have to be subject to clear conditions and limitations. The access or use of personal data on a “generalized basis” must be prevented and sufficiently controlled by the judicial power.
An explanatory communication on the consequences of the Schrems ruling and setting out guidance on international data transfers will be released by the EU Commission shortly.