In October 2015 the European Court of Justice (ECJ) invalidated the EU-US Safe Harbour agreement, an agreement which was relied upon by the vast majority of international companies as the basis for legitimately transferring data outside of the EEA.
Following this decision the Hamburg Data Protection Commissioner assessed the data transfer practices of 25 internationally operating companies with office locations in Hamburg. The inspections showed that the vast majority of those organisations updated their data transfer processes following the decision by introducing standard contractual clauses or model clauses. However, a number of companies had not changed their practices on foot of the ECJ decision and fines were levied by the Commissioner against three companies in particular who were transferring personal data to the US without any legal basis for doing so. The fines imposed were between €8,000 and €11,000. Johannes Caspar, the Hamburg Commissioner for Data Protection and Freedom of Information stated that “The fact, that the companies have eventually implemented a legal basis for the transfer had to be taken into account in a favourable way for the calculation of the fines. For further infringements, stricter measures have to be applied”.
The EU-US Privacy Shield was proposed as a mechanism that could replace Safe Harbour. However it has come under heavy criticism from the Article 29 Working Party. While the opinion of the Working Party is non-binding, such opinion has substantial influence and the EU-US Privacy Shield is being further considered by the EU Commission. Until such time as these issues have been fully addressed, the Chairman of the Working Party confirmed that data transfers to the US may still take place under the existing data transfers mechanisms, EU Model Clauses or Binding Corporate Rules.
This position has somewhat been complicated by the Irish Data Protection Commissioner who has sought declaratory relief in the Irish High Court and a referral to the ECJ to determine the legal transfer of personal data transfers under standard contractual clauses or model clauses. While the decision of the Office of the Data Protection Commissioner has absolute merit it does create further uncertainty in relation to international data transfers.
However until such model clauses are determined invalid, they remain a legal method for the international transfer of data.
Consent, consent, consent
We will be watching the developments very closely. However, in the meantime do not forget that it may be appropriate to undertake personal data transfers, once the data subject has provided his/her consent. In order to prepare for the EU Data Protection Regulation, we recommend that organisations consider and seek to comply with the new definition of consent; “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which her or she, by a statement or by a clear affirmative action, signifies agreement of the processing of personal data relating to him or her”.
This is definitely a case of watch this space!