Safe Harbor Update: The European Commission Issues Guidance on the Schrems Decision

This past Friday, the European Commission (“the Commission”) issued guidance addressing transatlantic data transfers after the European Court of Justice (“ECJ”) decision in the Schrems case. As we noted in an earlier post, the ECJ Schrems decision invalidated the U.S.-EU Safe Harbor framework, the mechanism that enabled self-certifying corporations to transfer personal data from EU countries to the United States. The Commission’s recent guidance sets forth its top priorities and identifies viable and available transfer mechanisms for companies now that Safe Harbor is no longer valid.

Key takeaways from the guidance include:

  • The Commission will continue to work with data protection authorities to ensure uniform application of the Schrems ruling
  • The Commission will continue to work in earnest to negotiate a safer and more comprehensive framework for future transatlantic data transfers
  • The guidance identifies standard contractual clauses and Binding Corporate Rules as viable temporary alternative transfer mechanisms
  • The guidance notes that data protection rules provide for certain exemptions, which may permit the transfer of data in specific circumstances
The Commission’s guidance should be somewhat reassuring for companies impacted by the recent Safe Harbor ruling and concerned by recent posturing of national data protection authorities. For example, this past October Germany’s Data Protection Authorities (which includes the federal DPA and 16 state DPAs) issued a 14-point position paper addressing transfer mechanisms post-Safe Harbor and suspending Binding Corporate Rules approvals and ad hoc export agreements to the US for the foreseeable future.The Commission’s guidance suggests that the Commission recognizes the urgency for a new Safe Harbor, which the EU and US are working to try and achieve by early 2016. We will continue to provide further updates as we follow these developments.