Last month in the Schrems case (Case C-362/14), the Court of Justice of the European Union (CJEU) ruled the Safe Harbor Framework invalid. This framework had been in place since 2000 and provided a system for EU-based companies to transfer personal data to companies complying with the principles of the Safe Harbor framework in the US without contravening the restrictions on cross-border transfers of data as set out in the EU Data Protection Directive.
The reasoning behind the decision related to the fact that the US authorities were able to access personal data transferred from the EU to the US and process it in a way that was incompatible with the purposes for which it was transferred and that was beyond what was strictly necessary and proportionate to the protection of national security. The CJEU also noted that the data subjects had no administrative or judicial means of redress to enable their data from being accessed, rectified or erased.
While Asian companies may not consider that they need to be concerned with the decision of the CJEU due to its reference to the export of personal data to the US, there may be wider ramifications arising from this decision which may have an impact on the methods used by companies in the EU to export data to Asian countries, as well as on the export of data by Asian companies to the US.
Other than the Safe Harbor regime (which only applied to the US), in order to transfer personal data to a country outside of the EU that is not on the approved whitelist, a company could either rely on one of the exemptions in the EU Data Protection Directive (e.g., consent; necessary for the performance of a contract); put in place binding corporate rules; or enter into the European commission approved model contractual clauses.
However, as a result of the decision in the Schrems case, these methods have now been opened to scrutiny. Recently, the data protection authority in the state of Schleswig-Holstein, Germany, issued a position paper indicating that it was of the view that EU-US transfers facilitated by the use of model contractual clauses also fail to comply with the EU Data Protection Directive by applying the same reasoning as the CJEU. In particular, the paper notes that the model contractual clauses contain a provision pursuant to which an importer of personal data must warrant and undertake that, "it has no reason to believe, at the time of entering into these clauses, in the existence of any local laws that would have a substantial adverse effect on the guarantees provided for under these clauses." The Schleswig-Holsteindata protection authority was of the view that US entities are unable to fulfil this obligation and, as a result, a data exporter has the right to suspend the transfer of data or terminate such agreements, and that the data protection authorities themselves would have the right to suspend such transfers.
Following that decision, the Datenschutzkonferenz, the 16-state German data protection authorities, issued a further position paper in which they stated that no further approvals for binding corporate rules and bespoke data export agreements involving US companies would be granted. This position paper did not extend to model contractual clauses (which do not require prior approval), but it did note that the German data protection authorities could prohibit transfers based on the model contractual clauses and that the Datenschutzkonferenz would take into account the reasoning articulated in the Schrems ruling in exercising that authority. However, the position paper did not comment on whether existing binding corporate rules or bespoke data transfer agreements that had already been approved will remain valid, so it is assumed that they are.
The position taken by the Datenschutzkonferenz is not entirely consistent with the position taken by the Article 29 Working Party (an independent advisory board on data protection and privacy set up pursuant to the EU Data Protection Directive) that stated that the data protection authorities consider that the model contractual clauses and binding corporate rules can still be used. However, the Article 29 Working Party is continuing to analyze the impact of the CJEU judgment on these transfer tools, and it stated that the use of these methods for cross-border transfers of data would not prevent data protection authorities from investigating particular cases.
The Article 29 Working Party continues to seek a solution to this matter but has stated that, "if by the end of January 2016, no appropriate solution is found with U.S. authorities and depending on the results from the Art. 29 WP's assessment of the other transfer tools, EU data protection authorities are committed to take all necessary and appropriate actions, which may include coordinated enforcement actions." This means that companies that are safe-harbor certified or transfer data to safe-harbor certified companies have a three month grace period to become compliant and find another solution to protect data transfers outside the EU.
What this means for companies in Asia?
The discussions so far have related to the transfer of personal data from the EU to the US. However, based on the position being taken by the German data protection authorities and the Article 29 Working Party, all data transfers could be open to scrutiny, including those from the EU to Asia. Asian companies that receive personal data from the EU pursuant to model contractual clauses or binding corporate rules should therefore be prepared for potential challenges to the receipt and collection of personal data pursuant to these transfer tools on the grounds set out in the Schrems case, especially if they are based in jurisdictions that have similar surveillance programs to the US.
In addition, the data protection laws of a number of Asian countries follow principles similar to those contained in European Data Protection legislation. These include provisions restricting transfers of personal data to other countries unless a certain level of protection is afforded to such personal data in that country. In light of revelations regarding US surveillance practices, transfers of personal data by companies based in Asian countries to the US could also be challenged by Asian data protection authorities following the same reasoning as set out in the Schremscase. For example, recently, Google Inc. was ordered by a Seoul court to disclose a list of personal information that it had shared with third parties (which included a US intelligence agency).
In preparation for such challenges, companies should review the types of data that they are collecting and also the purposes for such collection. Entities should also consider whether any exemptions from the restrictions on transfers could apply to such data, which would alleviate the need to rely on model contractual clauses or binding corporate rules (e.g., informed consent, necessity for the performance of a contract) or whether data can be anonymized to avoid the application of the EU Data Protection Directive to such data.