Since the Schrems Decision two weeks ago, there have been numerous articles, webinars and discussions about how to “correctly” transfer EU personal data to the United States in the absence of Safe Harbor. While it is uncertain what the future holds in relation to EU data transfers, it appears the best course of action for Safe Harbor (SH) certified companies is to review their current data transfer arrangements and determine whether such transfers can continue to be lawful, and, if not, determine the necessary changes.
The Article 29 Working Party appears to be giving SH companies a grace period until the end of January 2016 to have alternative data transfer methods in place. Although we anticipate the Article 29 Working Party and data protection authorities will be issuing further guidance, and while it is possible that a Safe Harbor 2.0 will be finalized by the end of January, below are some recommendations on next steps given the current lay of the land.
Next Steps To Consider
- Analyze and create a list of your current data transfers that includes the following information: (1) data exporter and location; (2) data importer and location; (3) type of data being transferred; (4) any relevant contract provisions relating to the data transfer; (5) the importance of the data transfer to the operations of the business; and (6) if adequate notice is being given to the EU data subjects regarding the transfer.
- Once the key transfers are identified, institute model clauses between data exporters and importers until further guidance is provided.
- Structure the transfers to be in compliance with the proposed EU General Data Protection Regulation to the extent possible. (It is rumored that the “final” version of the Regulation will be complete by year end. Once approved, there will be a two-year transition period.)
- Keep informed of any statements by the Article 29 Working Parties or data protection authorities providing guidance.
Timeline of Key Events
- 14 October 2015: Marit Hansen, head of ULD, the data protection authority in Schleswig-Holstein, issued a position paper noting that there must be a significant change in U.S. law. He advised that businesses in Schleswig-Holstein that transmit personal data to the U.S. should review their procedures as soon as possible, and consider alternatives for processing of personal data in the United States. The ULD recommended that companies using model contracts cancel them and review the data transfers. https://www.datenschutzzentrum.de/uploads/internationales/20151014_ULD-Positionspapier-zum-EuGH-Urteil.pdf.
- 16 October 2015: The Article 29 Working Party issued a statement that Safe Harbor arrangements are not valid, and:
- By 31 January 2016, negotiations between the EU and the U.S. to resolve Safe Harbor concerns should be completed – providing a grace period until then for companies.
- Prior to 31 January – Safe Harbor companies may rely on the EU Standard Clauses (Model Clauses) or Binding Corporate Rules (BCRs).
- The EU Model Clauses and BCRs will be reviewed in light of the Court’s decision and the issues identiﬁed with regard to Safe Harbor.
A copy of the full text of the Article 29 Working Party’s Statement can be found here: http://ec.europa.eu/justice/data-protection/article-29/press-material/press- release/art29_press_material/2015/20151016_wp29_statement_on_schrems_judgement.pdf.
- 19 October 2015: The Israeli Law, Information and Technology Authority revoked its prior authorization to transfer data from Israel to the U.S. that relied on Safe Harbor. https://www.dropbox.com/s/pe0aoy96juyvcna/ILITA%20SH%20Statement.pdf?dl=0.
20 October 2015: The Irish DPA announced its intention to carry out further investigation of Schrems’ Facebook privacy complaint.