The ramifications of the European Court of Justice (ECJ) October 6 decision in the Schrems case, invalidating Safe Harbor, continued today. First, the European Parliament announced it will have EU commissioners and councilors address its plenary this evening. Second, the data protection commissioner from the German state of Schleswig-Holstein has taken the step that many have predicted and issued a position paper that follows the ECJ’s logic to declare model contract clauses, even consent, to likely be invalid ways of transferring data to the U.S.
The release from Parliament notes that MEPs are “likely to ask the Commission to clarify the legal situation following the (Safe Harbor) ruling and demand immediate action to ensure effective data protection for EU citizens.” The debate will start at 7:30 p.m. Brussels time.
The news out of Parliament comes alongside a new proclamation issued by the Parliament’s Civil Rights Committee (LIBE), which voted 28-20 to say “there is widespread agreement that something has gone wrong with the way that intelligence agencies and others have acted. Work needs to continue to ensure that civil liberties are defended on the Internet, too.” LIBE condemned not just U.S. practices but those of certain EU member states as well, singling out the UK, France and The Netherlands.
Parliament issued a similar proclamation in 2014 and is dismayed the Commission has done little to act on it, calling the efforts “highly inadequate.”
Further, LIBE expressed indignation about the Commission’s actions in regard to Safe Harbor. “They protest that Parliament has received no formal feedback from the Commission regarding the implementation of the 13 recommendations for a ‘safer’ Safe Harbour,” reads a press release LIBE issued, “and stress that ‘it is now urgent that the Commission provide a thorough update on the negotiations thus far and the impact of the judgment on the further negotiations.’”
They also call for a reflection “immediately” on how the judgment affects other ways of transferring data, including Binding Corporate Rules and model contractual clauses.
Just hours after that proclamation was announced from Parliament, Marit Hansen, head of ULD, the data protection authority in Schleswig-Holstein, issued a press release and position paper. "In view of the high demands that the Court has established in its judgment,” Hansen wrote in German, “a lasting solution can only be in a significant change in U.S. law. Businesses in Schleswig-Holstein that transmit personal data to the United States should review its procedures as quickly as possible and consider alternatives for processing of personal data in the United States. This applies not only to such transfers, which have been based on the Safe Harbor Principles, but for every transmission to the US."
The ULD specifically recommends that companies using standard model contracts cancel them with their U.S. partners and do a complete review of data transfers, consulting with the ULD in basically every instance.
Will other data protection authorities follow suit?