On Friday 16 October, Europe’s data protection regulators issued a statement effectively enabling ongoing transfers of personal information from the EU to the US, at least for a few months.
The statement calls for a robust, collective and common position on the implementation of the Schrems judgment and on EU Member States to pursue urgent discussions with the US authorities to find political, legal and technical solutions enabling data transfers that respect the fundamental rights of European citizens.
It says that in the meantime it will continue its analysis on the impact of the judgment on other transfer tools and crucially that for the time being;
“Data protection authorities consider that Standard Contractual Clauses and Binding Corporate Rules can still be used.”
Perhaps rather ominously the statement says that if a solution isn’t found by the end of January 2016;
“EU data protection authorities are committed to take all necessary and appropriate actions, which may include coordinated enforcement actions.”
This statement should be treated as providing some ‘breathing space’ for those many businesses affected, but not much more and certainly not as anything but a short term solution that buys time for about 3 months. Businesses should assess their exposure and make sure that their transfer solutions still work.
Although the statement is not law as such, it is influential and is likely to be followed by national data regulators and courts.