- I’m Safe Harbor certified and have seen news articles reporting that “Safe Harbor is invalid”. What does that mean? On 6 October, the European Court of Justice delivered a judgment which invalidated the Safe Harbor framework. Safe Harbor was a 15-year-old trade pact under which personal data could legally be transferred from the EU to the United States.
- When does the court’s decision come into effect? The decision had immediate and retrospective effect. Strictly speaking, any data flows to the United States that were being conducted solely on the basis of Safe Harbor are now being carried out unlawfully if no other steps have been taken to legitimise the transfer.
Safe Harbor self-certified organisations
- Do I need to stop all international data transfers? No, as the decision only affects transfers of personal data from the EU to the United States when the transfers were being made under Safe Harbor. The European Commission and some of the national data protection authorities have indicated that they expect organisations that relied on Safe Harbor to implement alternative mechanisms to legitimise transfers of personal data from the EU to the United States.
- I still need to transfer data from the EU to the United States, what should I do? The European Commission has said that companies that had relied on Safe Harbor to legitimise data transfers should put other measures into place. These other measures could include Model Clauses or Binding Corporate Rules. There are also other derogations provided by the Data Protection Directive (95/46/EC) on which a company may rely to legitimise data transfers, such as obtaining the data subject’s consent; however, such derogations must be interpreted restrictively and applied in very specific cases. In the short term, Model Clauses are likely to be the most appropriate solution, although it is possible that in the future these could be legally challenged in the same way as Safe Harbor has been.
- Has any official guidance been released regarding the implications of the court’s decision? Not yet. The European Commission issued a statement on the decision on 6 October, setting out other methods for data transfers between the EU and the United States. Also on 6 October, the French Commission Nationale de l’Informatique et des Libertés (CNIL – the French data protection authority) announced that it would meet with the Article 29 Working Party to determine the legal and operational consequences of the ruling on data transfers based on Safe Harbor. This is a process that all European regulatory bodies will feed into.
In the UK, the Information Commissioner’s Office (ICO – the UK data protection authority) issued a statement advising that it would be issuing further guidance, and businesses should check its website over the coming weeks. Importantly, it also stated that “businesses that use Safe Harbor will need to review how they ensure that data transferred to the US is transferred in line with the law. We recognise that it will take them some time for them to do this.” We expect that further guidance will be released over the next few weeks.
What are our next steps?
- Do you know what data you collect? Before you can begin to put new measures in place, you will need to understand and map out the types of personal data collected and stored by your organisation. Some types of data require more stringent steps to be taken.
- Do you know what data you send to the United States? Related to the above, you will need to understand exactly what types of data you send to the United States to be able to put new measures in place.
- Do you know what services your suppliers/vendors supply? Increasingly, IT systems are hosted in the cloud which may mean personal data has been transferred to the United States, or you may have US-based suppliers that require you to transfer personal data to them. You should be aware that, as a data controller, your organisation still remains responsible for the way that personal data is processed, even once it has left you and is with your suppliers. The flow of personal data could affect your entire supply chain. It is important that you know which of your US-based suppliers handles personal data and whether they were certified to Safe Harbor. If any of them are, then you will need to put in place an alternative mechanism to ensure that such transfers are lawful.
- What do I do if I receive something from my supplier asking me to sign? This is likely to happen if your supplier was Safe Harbor certified and is proactively trying to put in place alternative measures for data transfers. If you are presented with a new contract to sign, it should be reviewed carefully to ensure that it is adequate for your business purposes. Do not be tempted to put a “quick fix” in place in order to bridge the gap: in the long term, it may well come back to haunt you. Some regulators, such as the CNIL, have issued guidelines indicating that suppliers, and in particular cloud service providers, can be held liable for breaches.
- I need more advice; what are Model Clauses, Binding Corporate Rules etc.?! If your organisation relied on Safe Harbor, there are a few potential replacements, including Model Clauses and Binding Corporate Rules. The solution that is right for a business will vary depending on the way that it uses and transfers data, as well as its corporate structure. If you’d like to discuss the needs of your business, please contact one of the Reed Smith lawyers listed below.
Organisations that are not Safe Harbor certified
- My business is not Safe Harbor certified – does that mean I can ignore this ruling? Not at all. Even if your company is not certified, it is possible that your suppliers will have been certified to Safe Harbor, and that by your contracting with them, you relied on their certification to enable you to transfer personal data to them. It is important, therefore, to find out which of your suppliers had been certified to Safe Harbor.
- Can I still transfer data to suppliers that are Safe Harbor certified? Not on the basis of Safe Harbor. If you are transferring data from the EU to the United States, and it is “personal data” as defined in the Data Protection Directive, such transfers are now unlawful unless another legal ground applies to the transfer. The ICO has recognized that it may take some time for businesses to put new measures into place; however, a solution will need to be implemented in the medium to long term.
- Are any guidance notes available? Not at the moment. The European Commission has issued a statement on the CJEU’s decision which sets out other methods for data transfers between the EU and the United States. Similarly, the ICO issued a statement advising that it would be issuing further guidance, and businesses should check its website over the coming weeks. The French CNIL will do the same.