On 23 January 2015, the Portuguese National Data Protection Agency (Comissão Nacional de Proteção de Dados – "CNPD") issued a communication with its guidelines on the impact of the judgment of 6 October 2015 of the Court of Justice of the European Union ("CJEU") on authorisations to transfer data to the United States of America issued under the Safe Harbor agreement.
In its judgement, the CJEU decided that the transfer of data to the USA on the basis of the Safe Harbor agreement does not guarantee an adequate level of protection equivalent to that in the European Union. For this reason, it declared that European Commission Decision 2000/520/CE of 26 June 2000 is invalid.
You can read our commentary on the CJEU decision here.
The CNPD decided that:
In the future, it will only issue provisional authorisations to transfer personal data to the USA;
It will analyse all the authorisations issued since 2000 indicating that those responsible for the processing of data must immediately suspend any flows of data that are based on the Safe Harbor agreement.
As a result of these guidelines, it is now urgent for companies to check whether they are currently making transfers of personal data to the USA under the Sake Harbor agreement. If they are, it is essential for them to enter into the standard contractual clauses approved by the European Union in order to make sure any such transfers are lawful.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.