After days of anticipation following the decision by the EU’s highest court to strike down the Safe Harbour mechanism for transferring personal data to the US, the Data Protection Authorities have now spoken.
The Article 29 Working Party, the body that represents the collective voice of the EU’s privacy enforcers issued a statement on the 16 October. They have promised not to rock the boat just yet, but that if a viable alternative to Safe Harbour is not found by the end of January 2016, there is a clear warning to batten down the hatches and prepare for a storm of enforcement.
OK, enough of the puns.
What this amounts to is more pressure to finish negotiations on Safe Harbour 2.0. Transfers based on Safe Harbour are now unlawful they state, however Standard Contractual Clauses and Binding corporate rule are still valid tools.
Nonetheless, there is a recognition it seems that these are not completely watertight (OK, one more), as they will continue to consider what the court judgement means for these other transfer tools, and the continued use of them is qualified as allowable ‘during this period’.
They also emphasise the fact that the ‘massive and indiscriminate surveillance’ unearthed by Edward Snowden remains an unresolved issue at the heart of the problem.
With this in mind, readers should also take a look at the blog from Microsoft’s respected Chief Legal Officer, Brad Smith. Addressing the issues that we have touched on ourselves, about the problems of jurisdictional boundaries and the global web, his suggestions for a way forward are highly practical.
At the heart is the idea that a citizens legal protections should follow their data wherever it is stored. If this could become the basis of new international agreements, many of the issues could be resolved, including processes for lawful access by security and government agencies.
Sounds like plain sailing to me.