In the Schrems judgment of 6 October, the Court of Justice of the European Union declared that the so-called Safe Harbour scheme, which allowed the convenient transfer of personal data from the EU to US companies, is invalid.
The Safe harbour scheme was developed by the US Department of Commerce in consultation with the European Commission (the Commission). Under the Safe Harbour privacy principles, individuals must be informed, for example, when data about them is collected and the collected data must be relevant for the purposes for which it is to be used. In 2000, as a result of these consultations, the Commission decided that the level of protection for the transfer of personal data from the EU to US companies that had implemented these privacy principles was equivalent to the level of data protection in the EU. In practice, this meant that transferring personal data from the EU to a US company that had implemented the Safe Harbour principles was almost as easy as transferring the data to another EU member state.
Whether a particular US company had correctly implemented these privacy principles was in essence assessed by the company itself by self-certifying.
The ruling that the Safe Harbour framework is invalid has several immediate practical consequences for businesses in Latvia.
First, from now on the transfer of personal data to the US and also transfer-related data-processing registration with the Latvian Data State Inspectorate (the Inspectorate) from the legal point of view will be more difficult.
Before the Schrems judgment, for the Inspectorate to confirm that a data transfer was legal, it was enough to indicate in the data-processing registration application that the transfer would be to a US company that had Safe Harbour certification.
Now it is necessary to use other mechanisms for the transfer of personal data. All data transfers to the US are regarded as data transfers to a country that does not ensure the level of data protection is equivalent to that in Latvia. The options are listed in Section 28 of the Latvian Personal Data Protection Law and, among others, include:
- A data transfer agreement must be concluded based on the EU Model Clauses or based on the standard conditions approved by the Latvian Government.
- The data subject gives consent.
- The data controller must be bound by the Binding Corporate Rules.
Instead of registering personal data protection activities relating to data transfers with the Inspectorate, data controllers have always been able to appoint and register a data protection specialist with the Inspectorate. However, this does not solve the problem of the non-existence of the relevant legal basis for the international data transfers.
Second, for those companies that until the Schrems judgment have transferred data to the US under the Safe Harbour regime and urgently need to continue such data transfers legally, there is a great deal of uncertainty regarding what they should do now.
The Inspectorate is expected to announce an action plan in this respect as well as explain other practical consequences arising from the judgment. So far the Inspectorate has not officially commented on the consequences of the Schrems judgment; however, it is highly unlikely that data controllers who relied on the legality of the Safe Harbour regime for data transfers to the US until 6 October 2015 will face any negative consequences from the Inspectorate. Likewise, it seems unlikely that the Inspectorate will impose any severe sanctions on the data controllers who need reasonable time to implement new legal tools for the lawful transfer of data to replace those that have been invalidated by the Court of Justice of the European Union.