EU Data Protection Authorities Issue Statement Following Schrems Decision

October 16, 2015

On October 16, 2015, the body of European data protection regulators (Article 29 Working Party or WP29) issued a statement on the implementation of the judgement of the Court of Justice of the European Union (CJEU) in Schrems. This is the first guidance issued by the Article 29 Working Party following the groundbreaking Schrems decision.

Guidance from WP29 is a good indication of how EU data protection authorities are likely to interpret the law, but it is not legally binding on national data protection authorities or national courts.

The main points of the Article 29 Working Party statement are as follows:

  1. WP 29 urges all relevant stakeholders—the EU Commission, the EU member states, and the U.S.—to find the right political, legal, and technical solutions to enable data transfers to the U.S. in accordance with EU fundamental rights by the end of January 2016.
  2. Solutions offered by WP 29 include negotiating an intergovernmental agreement providing stronger guarantees to EU data subjects, as well as the current negotiations around a new Safe Harbor framework.
  3. Until a solution is reached, WP29 will continue its assessment of other data transfers mechanisms (e.g., standard contractual clauses, binding corporate rules, and derogations).
  4. In the meantime, standard contractual clauses and binding corporate rules can still be used to transfer personal data, but national data protection authorities have the authority to investigate particular cases—for example, following complaints—and to exercise their powers to protect individuals' rights to privacy and data protection. This may include the power to suspend data transfers.
  5. If by the end of January 2016 no appropriate solution is reached with U.S. authorities, and depending on the assessment of the transfer tools by the Article 29 Working Party, EU data protection authorities are committed to take all necessary and appropriate actions, which may include coordinated enforcement actions.
  6. WP 29 also noted that the Safe Harbor EU Commission adequacy decision is invalid and, therefore, data transfers that are occurring under the Safe Harbor framework after the CJEU judgment are unlawful under EU law.
  7. EU data protection authorities will conduct information campaigns at the national level, including direct information to companies that were relying on Safe Harbor.

The Schrems decision created a high degree of uncertainty around the legal framework applicable to data transfers in the EU. The situation is in flux and is rapidly evolving. We will continue to monitor the consequences of this case and will update you on any new developments.

Wilson Sonsini Goodrich & Rosati routinely helps clients manage risks related to the enforcement of privacy and data protection laws globally, along with advising clients on EU privacy and data security issues. For more information, please contact Cédric Burton, Christopher Kuner, Lydia Parnes, Michael Rubin, Chris Olsen, or another member of the firm's privacy and data protection practice.