The EuGH court made it's decision that safe harbor is no longer considered lawful (triggered by a law suit by an Austrian against Facebook in Ireland). It basically says that EU data protection agencies can investigate companies for data protection issues even if the EU company uses an US company that is Safe Harbor certified.
This is due to the fact that the EuGH considers NSA snooping unlawful, especially that EU citizizens do not know about the spying and have no legal way in the US.
Beside Safe Harbor US companies provide data protection for EU companies based on EU model clauses. US enterprises share information about their employees back into the US based on 'corporate bindings'.
The 29 Working Group of EU data protection agencies issued their opinion last week on the EuGH decision
- Safe Harbor is unlawful for EU companies ("In any case, transfers that are still taking place under the Safe Harbour decision after the CJEU judgment are unlawful.")
- Model clauses and corporate bindings can only be used until the end of January 2016
"In the meantime, the Working Party will continue its analysis on the impact of the CJEU judgment on other transfer tools. During this period, data protection authorities consider that Standard Contractual Clauses and Binding Corporate Rules can still be used [...]
If by the end of January 2016, no appropriate solution is found with the US authorities and depending on the assessment of the transfer tools by the Working Party, EU data protection authorities are committed to take all necessary and appropriate actions, which may include coordinated enforcement actions."
Most unlikely those will be extended beyond January 2016 if one reads the opinion of different national agencies.
The EuGH court made it's decision that safe harbor is no longer considered lawful (triggered by a law suit by an Austrian against Facebook in Ireland). It basically says that EU data protection agencies can investigate companies for data protection issues even if the EU company uses an US company that is Safe Harbor certified.
This is due to the fact that the EuGH considers NSA snooping unlawful, especially that EU citizizens do not know about the spying and have no legal way in the US.
Beside Safe Harbor US companies provide data protection for EU companies based on EU model clauses. US enterprises share information about their employees back into the US based on 'corporate bindings'.
The 29 Working Group of EU data protection agencies issued their opinion last week on the EuGH decision
http://ec.europa.eu/justice/data-protection/article-29/press...
Interesting parts:
- Safe Harbor is unlawful for EU companies ("In any case, transfers that are still taking place under the Safe Harbour decision after the CJEU judgment are unlawful.")
- Model clauses and corporate bindings can only be used until the end of January 2016
"In the meantime, the Working Party will continue its analysis on the impact of the CJEU judgment on other transfer tools. During this period, data protection authorities consider that Standard Contractual Clauses and Binding Corporate Rules can still be used [...]
If by the end of January 2016, no appropriate solution is found with the US authorities and depending on the assessment of the transfer tools by the Working Party, EU data protection authorities are committed to take all necessary and appropriate actions, which may include coordinated enforcement actions."
Most unlikely those will be extended beyond January 2016 if one reads the opinion of different national agencies.
PS: Gmail is based on these legal frameworks.