Today, one month after the European Court of Justice decision that invalidated the Safe Harbor framework, the European Commission (the “Commission”) issued a Communication setting forth its position on alternative tools for the lawful transfer of personal data from the EU to the United States.  The Commission also stated its objective to conclude negotiations with the U.S. government regarding the so-called Safe Harbor 2.0 within three months.  This timeline dovetails with the Article 29 Working Party’s grace period, which continues until the end of January 2016.

The Commission stated that, for now, companies can use the following transfer tools:

  • Standard Contractual Clauses (or Model Contract) and other contractual solutions that “satisfactorily compensate for the absence of a general level of adequate protection, by including the essential elements of protection which are missing in any given particular situation.”
  • Binding Corporate Rules, which, upon authorization by the data protection authority in each Member State from which the company wishes to export data, allow personal data to move freely among the different branches of a global company.
  • Applicable alternative derogations set forth in Article 26(1) of Directive 95/46/EC, including certain circumstances where the transfer is necessary:
    • For the performance of a contract or the implementation of pre-contractual measures taken in response to the data subject’s request (such as when the data subject wishes to book a flight or hotel room in the U.S.);
    • For the conclusion or performance of a contract concluded in the interest of the data subject between the data controller or a third party (such as when a data subject is the beneficiary of an international bank transfer); or
    • For the establishment, exercise, or defense of legal claims.
  • If there is no other ground, the free, informed, and unambiguous consent of the individual, which may be revoked by the individual.

The Commission reiterated the Article 29 Working Party’s recommendation that the specific legal framework of the Standard Contractual Clauses or Binding Corporate Rules is preferable to the alternatives for repetitive, mass, or structural data transfers.

The Commission also promised to “work closely with the independent data protection authorities to ensure a uniform application of the ruling.”  This task may prove difficult, in light of the differences in contemplated implementation and enforcement among data protection authorities.  The Spanish data protection authority, for example, is requiring companies that previously gave notice of cross-border data transfers to Safe Harbor-certified companies to inform it by January 29, 2016 of the replacement mechanisms implemented to achieve adequate protection.  This move by the Spanish data protection authority implicitly suggests that Safe Harbor alternatives remain valid in Spain for the time being.  Conversely, as we previously discussed here and here, German data protection authorities have cast doubt on the continued validity of many alternatives endorsed by the Commission and the Article 29 Working Party.