In letters sent on November 20, 2015 (see here the letter sent to the chairman of the Article 29 Working Party), the U.S. Chamber of Commerce and its EU equivalent, BusinessEurope, urged the U.S. and EU negotiators to “expeditiously reach agreement on a strengthened Safe Harbor framework that takes into account the concerns raised by the ECJ ruling and enables data transfers between the EU and US.”
On October 6, 2015, the Court of Justice of the EU in Schrems invalidated the Safe Harbor decision of the European Commission, based on a number of concerns about surveillance practices in the U.S., and the lack of sufficient judicial recourses for EU data subjects (see our post here).
The U.S. Chamber of Commerce and BusinessEurope, speaking on behalf of businesses small and large on both sides of the Atlantic, express in their letters their concerns about the present difficulties that the Schrems case has created, and provide some input as to how in their view the concerns raised by the Court of Justice in Schrems could be addressed in a new safe harbor.
There is today a great deal of confusion created by the fact that certain data protection authorities have started to ban the transfer of personal data to the U.S., despite a call by the Article 29 Working Party (an advisory body composed of the data protection authorities of the EU’s Member States and of the European Commission) not to do this until at least the end of January 2016, so as to not unduly disrupt transatlantic data flows while negotiators upgrade Safe Harbor. Both organizations consider, “In the absence of an appropriate transition period and without clear, consistent and coordinated guidance for realistic substitute compliance methods, everyday business occurrences, such as managing a global supply chain or processing employee payroll for EU-based subsidiaries could be discontinued.” The current uncertainties could also disrupt critical healthcare and safety infrastructure and services, they say.
For the future, the U.S. Chamber of Commerce and BusinessEurope recall that many recent legislative changes in the United States were not considered by the Court of Justice, for instance
“President Obama’s January 2014 Presidential Directive, the findings of the Privacy and Civil Liberties Oversight Board, the June passage of the Freedom Act, all of which significantly clarify and tighten controls over electronic surveillance in the United States.” They also call for the adoption of the Judicial Redress Act. They seem to be saying that these texts should address the concerns of the Court of Justice of the EU in Schrems.
Beyond Safe Harbor, both organizations consider that Schrems calls into question other existing schemes for transferring data from the EU to third countries, such as binding corporate rules (BCRs) and the European Commission’s standard contractual clauses, and even other decisions by the commission recognizing the adequacy of data protection laws of certain countries (Canada, Switzerland, etc.). On this, see our earlier post here.
On this basis, the U.S. Chamber of Commerce and BusinessEurope make five urgent calls:
- Timely conclusion of the negotiations between the EU and US on a revised Safe Harbor. Both the EU and U.S. must make efforts to compromise.
- Joint guidance from the European Commission and the Article 29 Working Party on how to move forward and deal with the current legal uncertainty, as neither the 16 October statement by the Article 29 Working Party nor the European Commission Communication of 6 November did enough to settle the current confusion.
- Guarantees for consistent treatment by national data protection authorities of international data transfers.
- An adequate transition period of at least six months but preferably longer in the enforcement approach to allow companies to move to alternative methods to permit data transfers.
- Assurance that the ongoing negotiations on the proposed EU general data protection regulation deliver a regulation that provides sound and predictable transfer mechanisms that avoid fragmentation, and strikes the right balance between the importance of protecting citizens’ data and ensuring their free flow in the European Single Market and beyond.