TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

The Privacy Advisor | Safe Harbor Fallout: Commission, Council Debate Parliament; German DPA Takes Next Step Related reading: California bill on universal opt-out mechanisms introduced



The ramifications of the European Court of Justice (ECJ) October 6 decision in the Schrems case, invalidating Safe Harbor, continued today. First, the European Parliament announced it will have EU commissioners and councilors address its plenary this evening. Second, the data protection commissioner from the German state of Schleswig-Holstein has taken the step that many have predicted and issued a position paper that follows the ECJ’s logic to declare model contract clauses, even consent, to likely be invalid ways of transferring data to the U.S.

The release from Parliament notes that MEPs are “likely to ask the Commission to clarify the legal situation following the (Safe Harbor) ruling and demand immediate action to ensure effective data protection for EU citizens.” The debate will start at 7:30 p.m. Brussels time.

The news out of Parliament comes alongside a new proclamation issued by the Parliament’s Civil Rights Committee (LIBE), which voted 28-20 to say “there is widespread agreement that something has gone wrong with the way that intelligence agencies and others have acted. Work needs to continue to ensure that civil liberties are defended on the Internet, too.” LIBE condemned not just U.S. practices but those of certain EU member states as well, singling out the UK, France and The Netherlands.

Parliament issued a similar proclamation in 2014 and is dismayed the Commission has done little to act on it, calling the efforts “highly inadequate.”

Further, LIBE expressed indignation about the Commission’s actions in regard to Safe Harbor. “They protest that Parliament has received no formal feedback from the Commission regarding the implementation of the 13 recommendations for a ‘safer’ Safe Harbour,” reads a press release LIBE issued, “and stress that ‘it is now urgent that the Commission provide a thorough update on the negotiations thus far and the impact of the judgment on the further negotiations.’”

They also call for a reflection “immediately” on how the judgment affects other ways of transferring data, including Binding Corporate Rules and model contractual clauses.

Just hours after that proclamation was announced from Parliament, Marit Hansen, head of ULD, the data protection authority in Schleswig-Holstein, issued a press release and position paper. "In view of the high demands that the Court has established in its judgment,” Hansen wrote in German, “a lasting solution can only be in a significant change in U.S. law. Businesses in Schleswig-Holstein that transmit personal data to the United States should review its procedures as quickly as possible and consider alternatives for processing of personal data in the United States. This applies not only to such transfers, which have been based on the Safe Harbor Principles, but for every transmission to the US."

The ULD specifically recommends that companies using standard model contracts cancel them with their U.S. partners and do a complete review of data transfers, consulting with the ULD in basically every instance.

Will other data protection authorities follow suit?


If you want to comment on this post, you need to login.

  • comment Katharina Kopp • Oct 14, 2015
    The ULD also notes that fines can be imposed for up to €300,000 .
  • comment Dominic Custodio • Oct 16, 2015
    Under the heading of "be careful what you ask for, you might get it," I wonder what the ULD would do if all of the companies in their jurisdiction did what they said, how long would it take them to process all of the consultation requests?  How long would they impinge the companies while they do these consultative reviews and what damage would that lag time do to the companies who can not transfer any data?  Just curious - thoughts anyone?