Lindsay Urquhart follows up on her first Safe Harbour blog.

The European Commission’s Article 29 Working Party has issued a statement about the recent Schrems decision and its impact on the US Department of Commerce’s Safe Harbour scheme. The scheme originally approved under decision 2000/520/EC has been invalidated by the recent CJEU decision in Schrems.

The Working Parties’ statement is important because it represents the opinions of the representatives of all the National Data Protection Authorities within the European Union. The statement was issued following their discussions about how to ensure a co-ordinated approach to EU US data transfers in the absence of the Safe Harbour.

The Working Party has indicated that while it considers that Binding Corporate Rules and Standard Contractual clauses can still be used to allow EU US data transfers, it does not consider that they are an appropriate solution for the problem of data transfers to countries where government surveillance and interference with private data is on a massive and indiscriminate scale.

The Working Party has suggested that there is a need for an intergovernmental agreement between EU member states, the European Institutions and the US. It has also piled pressure on organisations that previously relied upon the Safe Harbour by indicating that co-ordinated enforcement action from National Data Protection Authorities could begin as early as the end of January 2016.

The Working Party anticipates that enforcement action will be necessary if: 1) there is no intergovernmental agreement; and 2) the Commission’s ongoing negotiation of a new safe harbour remains inconclusive by their January deadline. It seems unlikely that such agreement will be reached despite the fact that a second safe harbour has been under consideration by the Commission for some time.

While the statement gives businesses a firm indication of when they might face enforcement action, it makes it clear that any transfers made under Safe Harbour after the issue of the Schrem’s decision are contrary to EU law, meaning that no comfort is offered to businesses for their activities during what will be a transitional period for businesses that previously self-certified. It would appear that these businesses could still face enforcement action for transfers after the decision but before the Article 29 Working Party deadline of the end of January 2016. If businesses have not made alternative arrangements after January and there is no new scheme in place it seems likely that national DPAs will be obliged to take enforcement action. Whether national data protection authorities will actively target those who were formerly in the Safe Harbour remains to be seen.

Given the potential complexity for these businesses in adopting standard contractual clauses and binding corporate rules, the time scale is tight.

Although National Data Protection Authorities agreed that National Information Campaigns were required to ensure Data Controllers were aware of the change by the time those campaigns are rolled out, there will be very little time for businesses to make the necessary changes before the end of January 2016.