As we reach the end of November, an update is in order on the rapid-paced and continuing fall-out from the Court of Justice of the European Union’s October 6 ruling in the Schrems case. Over the past month or so, the main developments have been as follows:
- The EU Parliament LIBE committee issued a press release condemning mass surveillance in the US and in some member states and calling upon the European Commission to take action before the end of 2015 to come up with alternatives to Safe Harbor (Oct. 13).
- The Schleswig-Holstein DPA announced that data transfers to the US based upon model contracts should be terminated or suspended (Oct. 14).
- DPAs in Bemen and Berlin confirmed that they agree with their colleague in Schleswig-Holstein on the unacceptability of model contracts as an alternative to Safe Harbor (Oct.15).
- The Article 29 Working Party issued a statement calling for a “robust, collective and common position” on implementing Schrems; pledging to review the viability of model contracts and BCRs, while noting that they can in the meantime still be used absent particular circumstances; and warning that it would “take all necessary and appropriate actions, which may include coordinated enforcement actions” if a solution is not found with US authorities by January 31, 2016 (Oct. 16).
- The Israeli data protection authority (ILITA) revoked its acceptance of Safe Harbor membership as a valid basis for data transfers to the US (Oct. 19).
- Calling for recognition that privacy is a fundamental human right, the President and Chief Legal Officer of Microsoft proposed four steps to resolve the impasse over trans-Atlantic data transfers (Oct. 20).
- The US House of Representatives passed the Judicial Redress Act that would extend to foreigners the same rights to judicial redress as US citizens have in law enforcers violate their privacy (Oct. 21).
- The Swiss DPA announced that data transfers to the US could no longer be based upon the US-Swiss Safe Harbor framework (Oct. 22).
- The German data protection authorities collectively announced that they would no longer approve new data transfers based upon model contracts or BCRs and would immediately investigate data transfers to the US by large US companies (Oct. 27).
- The European Union announced that it had struck a deal “in principle” with the US on a new data-sharing agreement to strengthen Safe Harbor, a deal involving greater oversight by the Dept. of Commerce and a review by European officials of access to transferred data by US security and law enforcement agencies (Oct. 27).
- Oracle revealed that it is now keeping all data regarding European citizens within the EU (Oct. 28).
- The US Commerce Secretary said that a solution she called “Safe Harbor 2.0” is “totally doable” and will be coming “shortly” (Oct. 29).
- The EU Parliament re-iterated its concerns about mass surveillance in the US and in Europe, called for a report by the Commission by the end of 2015 and urged member states to grant whistle blower status and protection to Edward Snowden (Oct. 29).
- Large US companies such as Facebook and Airbnb said that they rely upon transfer mechanisms other than Safe Harbor (Nov. 1).
- The Spanish DPA (AEPD) announced that it had sent a letter to all companies operating in Spain that had previously notified the AEPD of cross-border data transfers to Safe Harbor certified companies, given them until January 29, 2016 to inform the authority of what mechanisms for data transfers they were now using (Nov. 3).
- The Dubai International Financial Centre DPA stated that data controllers needed a legal basis for data transfers to the US other than Safe Harbor (Nov. 5).
- The European Commission issued a communication about the Schrems decision stating that model contracts and BCRs can still be used while discussions proceed with the US (Nov. 6).
- Microsoft announced that in conjunction with Deutsche Telekom it will be offering cloud services from Germany and other EU member states that will be beyond the reach of US authorities. Other cloud vendors such as Amazon, Google and Syncplicity are also ramping up their opening of data centers in Europe (Nov. 11).
- A group of 40 privacy groups from both Europe and the US said that the proposal for a new data transfer agreement is insufficient to protect privacy and will likely be struck down by regulators and Europe's high court (Nov. 16).
It is worth noting that no significant developments relevant to Schrems and Safe Harbor have been reported during the last two weeks, the likely reason being the November 13 terrorist attacks in Paris. Although some believe, or hope, that the attacks are shifting the pendulum from privacy to security, it is difficult to see how they impact or change the current EU-US legal impasse over data transfers.
Meanwhile, the clock continues to click towards the January 31, 2016 deadline, as massive a date in the data protection community as Y2K was a decade and a half ago for society in general. However, the chances that January 31 will be as much a non-event as Y2K proved to be are very small. Whether we see a successful conclusion to the Safe Harbor 2.0 negotiations or not, the next few months are going to be memorable and consequential.