Poland’s data protection authority, the Generalny Inspektor Ochrony Danych Osobowych (GIODO), recently issued its opinion on the continued validity of personal data transfers to the US. The opinion comes at a time when nearly every means of legitimizing data transfers from the EU to the US has come under fire: on October 6, the European Court of Justice (CJEU) issued a decision invalidating the US-EU Safe Harbor framework, and soon after Germany’s Conference of Data Protection Commissioners indicated that the German DPAs would not grant any new approvals for data transfers to the US on the basis of binding corporate rules (BCRs) or standard contractual clauses. Meanwhile, the Article 29 Working Party issued an opinion stating that standard contractual clauses and BCRs remained valid tools for transferring personal data from the EU to the US. Furthermore, it recognized that American and European authorities were negotiating to develop a Safe Harbor replacement, and that EU DPAs therefore would not bring enforcement actions unless the negotiating authorities fail to reach a solution by end of January 2016.
The Polish DPA recently weighed in as well. GIODO’s statement indicates that any companies still relying on their Safe Harbor certification to transfer data from Poland should not wait until the end of January to adopt one of the alternative transfer mechanisms, as GIODO may begin enforcement before that time. In its statement, GIODO recognizes the Article 29 Working Party’s position that standard contractual clauses and BCRs remain viable transfer mechanisms, and that the various European DPAs would not begin their enforcement actions until February 1, 2016. However, GIODO noted that it nevertheless would “react to any complaints received … before 1 February 2016” because the CJEU’s judgment that the Safe Harbor framework was invalid was meant to take effect immediately.
This opinion puts increased pressure on any companies that may still be relying on a Safe Harbor certification with the idea that they still have a few months to find a new transfer solution before risking an enforcement action brought by a European DPA. Those companies that export personal information out of Poland should consider adopting alternative transfer mechanisms – such as standard contractual clauses, BCRs, or obtaining the consent of data subjects – given that GIODO now has floated the possibility of taking complaint-based actions against those companies still relying on Safe Harbor in the immediate future. The opinion also increases the pressure on EU and American officials to finish negotiating the new Safe Harbor framework. These negotiations currently are in progress and officials are hoping for a deal by January 2016.