EU Commissioner Vera Jourova recently announced in a speech to the EU Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE) that the Commission and the US have made substantial progress in finalizing a new Safe Harbor program. Jourova noted that the collection and use of European personal data for US national security purposes remains a key open issue. However, she also reminded LIBE that the US has undergone a substantial review of the NSA’s alleged mass surveillance activities over the past couple of years.
Overall, Jourova’s comments seemed optimistic regarding getting a new Safe Harbor program finalized prior the Art. 29 Working Party’s January deadline for increased enforcement by national Data Protection Authorities starting at the end of January 2016. (The Art. 29 Working Party’s statement is available as a PDF on this page.)
In the meantime, the German regional data protection authorities have collectively announced that they will investigate data transfers by Google and Facebook to the US (without waiting for complaints by German users). The German DPAS have also suspended approval of new Binding Corporate Rules and customized data protection clauses. (Model clauses, which don’t require DPA approval in Germany, are not immediately affected, but could be vulnerable to attack.)
Keeping an eye on national data protection authorities’ enforcement agendas will be important once we have Safe Harbor 2.0 in place, since under the Schrems decision, Safe Harbor 2.0 will be effectively subject to the review of national DPAs and courts.