Just hours before the Article 29 Working Party was to meet Thursday afternoon in an extraordinary plenary session on the European Court of Justice’s recent Safe Harbor invalidation, one of its members, European Data Protection Supervisor (EDPS) Giovanni Buttarelli, pronounced himself “largely optimistic” about the future of cross-border data transfers with the U.S.
Can we expect, then, asked a member of the roundtable discussion held at public affairs firm FleishmanHillard’s Brussels offices, a press release tonight from the Article 29 Working Party with a consensus on how to go forward?
Buttarelli gazed at the table for a few moments in thought.
“I’m confident about eventual outcomes,” he eventually said, with a smile. “Not necessarily today’s plenary session.”
The 40 or so people around the room laughed. But it was a nervous laughter.
Yes, the various privacy officers and general counsels were on edge, speaking under Chatham House Rules. The uncertainty created by Safe Harbor’s invalidation demanded they be on the hunt for information.
And indeed, the Article 29 Working Party released a two-page statement on the ECJ decision today. According to the press release, the WP29 is "urgently calling on the Member States and European institutions to open discussions with U.S. authorities" to "find legal and technical solutions" that would enable data transfers while respecting fundamental rights, adding, "The current negotiations around a new Safe Harbour could be part of the solution."
The big takeaway for companies is that while the WP29 considers the scope of the ECJ decision, "During this period, data protection authorities consider that Standard Contractual Clauses and Binding Corporate Rules can still be used," but this will not prevent DPAs from investigating individual cases. "If by the end of January 2016, no appropriate solution is found with U.S. authorities and depending on the assessment of the transfer tools by the Working Party, EU data protection authorities are committed to take all necessary and appropriate actions, which may include coordinated enforcement actions."
At the meeting earlier, meanwhile, Buttarelli sought to assuage fears of a fractured enforcement landscape. “For 15 years,” he noted, “none of the DPAs has intervened to suspend Safe Harbor. They had the chance, but they didn’t.” There’s no reason to expect, he counseled, a rush to sanctions against companies that “were working in a bona fide approach.”
However, nor does he think a solution will come quickly. Could it take six months? A year? He wouldn’t speculate, but “it’s not so simple to square the circle.”
He felt it was vital that the Judicial Redress Act pass in the United States and predicted that it would pass before the end of the year. Further, the work being done on the General Data Protection Regulation needs to be completed by the end of the year, as promised, and it must be accompanied by the new Directive that will apply to data being handled in criminal investigations.
Buttarelli’s office, he promised, will issue an opinion on the Directive before the end of October on how those trilogue negotiations should conclude. “Look for another beautiful app,” he said, referring to the app the EDPS released earlier this year that allows for a comparison of competing drafts of the GDPR.
Until those pieces are in place, it is up to the Article 29 Working Party to be consistent on enforcement, he said. “The DPAs need to coordinate powers,” said Buttarelli. “DPAs need to be transparent as well."
If you want to comment on this post, you need to login.