On 19 November, the Commission nationale de l’informatique et des libertés (CNIL) published an article entitled ‘Safe Harbor: What should businesses do?’ and associated FAQs aimed at businesses impacted by the Court of Justice of the European Union’s recent decision of 6 October 2015, Maximillian Schrems v Data Protection Commissioner (Case C-362/14), which invalidated the Safe Harbor framework.
According to this decision, the CNIL stated that data transfers to the U.S. relying solely on the Safe Harbor framework are now illegal. After stating that it is currently examining with the Article 29 Working Party (29 WP) the legal and operational consequences of the CJEU ruling, the CNIL announced that it will soon post further information on its website.
In the meantime, the CNIL has started sending mailings to data controllers who have notified data transfers based on the Safe Harbor in order to alert them that they must find an alternative legal framework. This is also the purpose of the aforementioned article posted on its website. Additionally, it indicates practical steps for companies that would like to transfer data to the U.S.
In doing so, the CNIL “invites” data controllers to proceed to the following operations:
- Assess the real need to transfer data to the U.S. First, the CNIL calls on concerned companies to assess whether it is really indispensable for companies to transfer the data since the most legally secure solution would be to retain the data within the EU perimeter. Companies could therefore stop the transfer of data to the U.S. if it is not essential to proceed with such transfer.
- When possible, use the ‘simplified notifications’ Second, if the transfer to the U.S. is indispensable, companies should consider using the ‘simplified notifications’ (normes simplifiées) available for the processing of HR data and the processing of client data (NS 46 and NS 48, respectively). These simplified procedures enable companies to transfer data outside of the EU. However, they are strictly limited in relation to the purposes of the transfer.
For the ‘simplified notification No. 46’ (HR data), the purposes of the transfer should be limited to the following: conducting statistical reports or compiling lists of employees to meet administrative needs, managing internal directories and organization charts, providing computer tools to employees, monitoring and providing maintenance of the IT infrastructure, managing IT directories to define the access authorizations to applications and networks, implementing means for ensuring security and proper operation of IT applications and networks, managing professional emails, establishing virtual private internal networks (intranet).
As for the ‘simplified notification No. 48’ (client data), it could be used strictly for the purposes of Client Management-related operations (such as contracts, orders, deliveries, etc.), client prospecting, development of trade statistics, sale, lease or exchange of clients and prospects files, organization of lotteries or any promotional operation, management of requests related to right of access, rectification and opposition, management of non-payment and litigation, and management of clients review on products and services.
- Amend existing notification with transfer of data to the U.S. based on Safe Harbor For companies which have already filed a standard notification or an authorization basing their data transfer on Safe Harbor, the CNIL recommends to amend the existing notification. In practice, companies should address to the CNIL a request for amending an existing notification together with the ‘Annex on transfer of data’ attached to the notification either by mail or online.
- Use the EU model clauses as a short-term instrument In any case, the CNIL recommends using an alternative vehicle for the data transfer. Companies could choose to either use:
- Binding Corporate Rules (BCRs) which are a code of practice for intragroup transfers that have the advantages of being binding and enforceable, and would be unlikely to be challenged by the CJEU. However, implementing BCRs is not a quick fix to the Safe Harbor invalidation as it can take up to 18 months or longer to get the approval.
- EU model clauses which are standard contractual clauses that are simpler to implement and appropriate for all data transfers outside of the EU. However, the CJEU ruling leaves open the possibility of EU ‘model clauses’ to be challenged on a similar basis in the future.
To help companies choosing between the two options, the CNIL stated that although the BCRs would be likely to provide a more secure legal framework, it acknowledged that the EU model clauses are a more operational tool in the short-term.
- Meet the deadline of end of January 2016 In line with the 29 WP, the CNIL stated that if by the end of January 2016, no appropriate solution is found with the U.S. authorities and the EU member states, EU data protection authorities, including the CNIL, will examine the possibility of using enforcement actions to prevent data transfers to the U.S.