Enter to open, tab to navigate, enter to select
French DPA Issues Guidance on ECJ Invalidation of US-EU Safe Harbor
Practical Law Legal Update w-000-9938 (Approx. 3 pages)
French DPA Issues Guidance on ECJ Invalidation of US-EU Safe Harbor
by Practical Law Intellectual Property & Technology
| Published on 23 Nov 2015 • France, USA (National/Federal) |
The French Data Protection Authority (CNIL) issued guidance for companies transferring personal data to the US in the wake of the European Court of Justice's (ECJ) October 6, 2015 decision invalidating the US-EU safe harbor framework for the transfer of personal data from the European Economic Area to the US.
On November 19, 2015, the CNIL published guidance and FAQs in light of the ECJ’s decision in Maximillian Schrems v Data Protection Commissioner, Case C-362/14, 6 October 2015 invalidating the US-EU safe harbor framework for personal data transfers from the European Economic Area (EEA) to the US.
In its guidance and FAQs, the CNIL, among other things, noted that it and its fellow European Data Protection Authorities (DPAs) are working toward having in place a new legal framework under which transfers between the EEA and the US would be permitted by January 31, 2016. Further, it:
- Called on companies wishing to transfer personal information to the US to assess whether the data transfers are essential.
- Noted that it and other European DPAs are analyzing the impact of the ruling on Binding Corporate Rules (BCRs) and EU Model Clauses, but that the DPAs have agreed to allow companies to temporarily rely on them to legitimize data transfers to US Safe Harbor certified companies.
- Called on companies to implement EU Model Clauses instead of BCRs, because the implementation of BCRs takes several months.
The CNIL joins the German Conference of Data Protection Commissioners in issuing guidance on US-EU data transfers following the Schrems decision (see Legal Update, German DPAs Issue Position Paper on ECJ Invalidation of US-EU Safe Harbor).