Polish Data Protection Authoritys Statement on the Invalidation of Safe Harbor Principles

    View Author December 2015

    On 6 October 2015, the EU Court of Justice made a landmark ruling in the case of Maximilian Schrems v Data Protection Commissioner (C-362-14), in which it held that the decision of the EU Commission on 26 July 2000,regarding the adequacy of the protection provided by the US Department of Commerce’s safe harbor privacy principles, was invalid.

    In reply to this, the Article 29 Data Protection Working Party issued a press release with regard to the said judgment. Amongst other things, it stressed that even though the use of safe harbor as regards providing personal data to the US was no longer possible, all the other rules regarding the legality of passed data were still in force; so it is still possible to use standard contractual clauses and binding corporate rules.

    The Polish law sets out a catalogue of the criteria concerning transfer of personal data outside the EEA in art. 47 - 48 of the Act on Personal Data Protection. Until member states have developed other common solutions, the personal data protection authorities of member states, including the Polish Data Protection Authority as of 1 February 2016, will start to enforce the law in this respect using their own initiative.

    According to a statement from the Polish Data Protection Authority, the time limit set in the said press release does not mean that businesses are not obliged to immediately apply another legal basis in order to demonstrate their rights to effect transfers to third parties. The time limit indicated shall be treated as a maximum time limit until which member states’ data protection authorities shall, in principle, not commence actions to enforce the said judgment.

    It should be emphasized that, according to the statement, the Polish Data Protection Authority will nevertheless act on any complaints received within the subject matter, even those submitted before 1 February 2016. This is due to the legal enforceability of ER CJ judgments and the fact that the court decided not to postpone the effects of the judgment in the Schrems case until a later date. As of the moment of the issuance of the judgment, transferring data to the US under the decision of the Commission is illegal.