On October 14, 2015, the data protection commissioner from the German state of Schleswig-Holstein issued a position paper declaring that the use of model contract clauses by U.S. companies and European employees’ consent to transfer their personal data to the United States are invalid. This position paper, which comes on the heels of the European Court of Justice’s (ECJ) October 6 decision in Schrems v Data Protection Commissioner to invalidate the legal basis for the U.S.-EU Safe Harbor Framework, is based on the same rationale as this groundbreaking decision. The commissioner specifically recommended that German companies cancel their standard model contracts with their U.S. counterparts, perform a complete review of data transfers, and consult with the data protection authority (the commissioner from the German state of Schleswig-Holstein) regarding data transfers to the United States. Fortunately, so far only the commissioner in this relatively small German state has taken such an extreme view.
Meanwhile, on October 16, 2015, the Article 29 Working Party issued a statement regarding the impact of the European Court of Justice’s Schrems decision. The Article 29 Working Party is composed of a representative of the national data protection authorities of the each EU country, a representative of the European Data Protection Supervisor, and a representative of the European Commission. The Article 29 Working Party is charged with examining any question covering the application of EU data protection directives and facilitating the uniform application of these directives.
The Working Party made it clear that the practical impact of the Schrems decision was that data transfers from the European Union to the United States can no longer be based on the European Commission adequacy decision 2000/520/EC. Thus, according to the Working Party’s statement, any transfers based on decision 2000/520/EC that take place after October 6, 2015, are unlawful.
The Working Party also stated that it will continue its analysis of the impact of the ECJ’s decision on other data transfer tools. During this period, data protection authorities will permit “Standard Contractual Clauses” and “Binding Corporate Rules” to be used. Data protection authorities will have the authority “to investigate particular cases, for instance on the basis of complaints, and to exercise their powers in order to protect individuals.”
The Working Party emphasized that “the question of massive and indiscriminate surveillance is a key element” of the ECJ’s analysis in Schrems. It reiterated that “transfers to third countries where the powers of state authorities to access information go beyond what is necessary in a democratic society will not be considered as safe destinations for transfers.” Therefore, under Schrems any adequacy decision made by data protection authorities requires a “broad analysis” of the third country’s “domestic laws and international commitments.”
Consequently, the Working Party “urgently” called upon “the Member States and the European institutions to open discussions with U.S. authorities in order to find political, legal and technical solutions enabling data transfers to the territory of the United States that respect fundamental rights. Such solutions could be found through the negotiations of an intergovernmental agreement providing stronger guarantees to EU data subjects.”
The Working Party noted that “[t]he current negotiations around a new Safe Harbour could be a part of the solution. In any case, these solutions should always be assisted by clear and binding mechanisms and include at least obligations on the necessary oversight of access by public authorities, on transparency, on proportionality, on redress mechanisms, and on data protection rights.”
The Working Party concluded by stating that, if “no appropriate solution is found with the U.S. authorities” by the end of January 2016 and depending on the assessment of the alternate data transfer tools by the Working Party, EU data protection authorities will “take all necessary and appropriate actions, which may include coordinated enforcement actions.”
In the meantime, companies may want to take stock of how all personal data they transfer from Europe is transmitted, processed, and stored. Inasmuch as the Safe Habor Framework is a means of ensuring that personal data processed in the U.S. is afforded similar protections as those afforded to personal data processed in the EU, its requirements are still a good guide to protecting data whatever system or framework may be established to replace it. Using the Safe Harbor Framework’s requirements as a guide will reduce the likelihood that an employee or data protection authority will challenge a company’s use of personal data—even in Schleswig-Holstien. U.S. companies working in the EU can take the following steps with regard to their data privacy practices:
- Map the company’s data flows;
- Review and “cleanse” personal data that the company has stored and consider anonymizing it;
- Look at what derogations from the EU Data Protection Directive might apply;
- Review the company’s data protection policies and procedures and audit the company’s compliance with them;
- Inform stakeholders of changes required or new consent or registration requirements; and
- Adopt EU-approved “Model Clauses” where needed.