Following the landmark ruling of the Court of Justice of the European Union (the “ECJ”) on 6 October 2015 in the Maximilian Schrems v Data Protection Commissioner case (C-362-14) (the “ECJ Decision”), the Art. 29 Working Party (the “WP”) has issued a statement, providing some preliminary guidance on the impact of the ECJ Decision at both European and national level.
The WP has underlined that massive and indiscriminate surveillance is incompatible with the EU legal framework, and existing transfer tools are not the solution to this issue. Therefore, according to the WP, Member States and the European Commission should urgently open discussions with US authorities in order to find, through intergovernmental agreements, suitable political, legal and technical solutions enabling data transfers to the territory of the United States that respect fundamental rights. However, if by the end of January 2016 no appropriate solution can be found with the US authorities, the EU data protection authorities will take all necessary and appropriate actions, which may include coordinated enforcement actions.
With reference to the practical consequences of the ECJ Decision, the WP has clearly stated that transfers from the European Union to the United States can no longer be framed on the basis of the European Commission adequacy decision 2000/520/EC (the “Safe Harbour Decision”). However, although the WP will continue its analysis on the impact of the ECJ Decision, for the time being the EU Model Clauses and Binding Corporate Rules can still be used. Nonetheless, national data protection authorities will remain free to exercise their powers in order to protect the data subjects’ rights when they receive individual complaints.
The EU data protection authorities will put in place appropriate information campaigns at national level to inform all stakeholders; this will include sending individual communications to all known companies that used to rely on the Safe Harbour decision, as well as publishing general messages on their websites.
The WP has recommended that businesses reflect on the eventual risks they take when transferring data and also consider putting in place any legal and technical solutions in a timely manner to mitigate those risks and respect the applicable EU data protection laws.
But what’s next now? Will the national data protection authorities (the “DPAs”) strictly follow the WP’s position? What should companies do to mitigate legal risks? Please find below a country-focused analysis from some of our EU offices.
The Austrian DPA is of the opinion that the ECJ Decision does not have any impact with regard to private individuals as such data transfers have never been subject to any authorisation. Data transfers to the USA which, until now, were exempt from any authorisation requirements can no longer take place on the basis of Safe Harbour. This will primarily affect data transfers to and from enterprises. To combat this, the DPA has suggested the following procedures: taking back any data from the USA and processing it locally on a different server; this server can be located within the enterprise in Austria, in another EU Member State or in a safe third country. Safe third countries are members of the European Common Area (EWR = EU + Iceland + Liechtenstein + Norway) or other states mentioned in regulations issued by the Austrian Government. There are further exceptions provided by the Data Protection Act, which include: (i) fulfilment of contracts in the interest of the affected parties (where one business partner has his seat in the US); (ii) agreement of the affected party (agreement must be based on all necessary information including an exact indication of the recipient, location and purpose of the processing); (iii) if only publicly available data is affected; or (iv) if the transfer is explicitly allowed in a standard application according to a governmental regulation. Despite the statements issued by the European Commission and the WP, according to which a data transfer to the US shall be admissible on the basis of EU Model Clauses and Binding Corporate Rules, the DPA reserves the right to authorise each single transfer and assess whether the recipient state offers adequate data protection standards. This requires an application to the DPA.
On 16 October 2015 the Belgian DPA (the “BDPA”) issued a brief statement (in Dutch and in French) about the ECJ Decision. The BDPA welcomes the ECJ Decision because the decision confirms the importance of intervention by independent DPAs in privacy disputes. The statement also stresses the importance of a common and coordinated approach between the various DPAs in the EU. On 27 November the BDPA will host a meeting for data privacy professionals and academics to discuss the impact of the ECJ Decision and to find appropriate solutions.
The Bulgarian Personal Data Protection Commission (the "PDPC") has not yet adopted any official position with respect to the ECJ Decision. Bulgarian companies who have been relying on the Safe Harbour scheme should seek alternative (additional) options of safeguarding the privacy of personal data transferred to the US. Such options could include: (i) concluding with the respective US entities the EU Model Clauses, or (ii) obtaining prior authorisation from the PDPC for the data transfer, subject to the PDPC evaluating the transfer structure and the adequacy of the level of data protection in the third state (i.e. the US), or (iii) acting on the basis of specific and informed consents from the data subjects or on the basis of sufficient data protection guarantees.
Czech companies who have been relying on the Safe Harbour scheme should immediately seek alternative options of safeguarding the privacy of personal data transferred in the US. In this respect, according to the standpoint of the Czech DPA, the preferred option is concluding the so-called EU Model Clauses. If an agreement containing the EU Model Clauses is not concluded with the receiving US entity, the data transfer is not possible without the Czech data controller seeking a permit issued by the Czech DPA.
Official guidance in Germany is complicated by the fact that there are a total of 17 data protection supervisory authorities (one in each federal state plus one on federal level with limited authority for the private sector). So far, there has not been a consolidated view on the matter by all German DPA's by its joint body (the "Duesseldorfer Kreis" or "Duesseldorf Circle"). However, last week, prior to the WP's statement, the local DPA in the northern state of Schleswig-Holstein issued a position paper, according to which ex-EU/EEA data transfers on the basis of the EU Model Clauses would be "no longer permitted". The paper has also raised concerns regarding international data transfers based on data subject's consent. The view of the Schleswig-Holstein DPA, considered as extreme by privacy professionals, appears to be shared by some other DPAs on federal state level to a certain extent, although it does not constitute a co-ordinated approach by all German DPAs. A co-ordinated view may be developed over the next few days on the basis of the WP's statement. Nevertheless, the German DPA's may assess the legal framework for international data transfers on a case-by-case basis, especially if data subjects file complaints.
Hungarian companies who have been relying on the Safe Harbour scheme should seek alternative options to safeguard the privacy of personal data transferred in the US. Data transfers to the US are possible with the prior, express and informed consent of the relevant person; however, as a result of the ECJ Decision, Hungary’s Authority for Data Protection and Freedom of Information (the "NAIH") may want to review whether a consent contains adequate information on the level of the data protection in the US. Besides an individual consent or intra-group transfers based on Binding Corporate Rules, the only alternative for Hungarian companies is to conclude the EU Model Clauses, provided that there is a legitimate interest for the proposed data transfer. Since 1 January 2012, entering into other individual data transfer agreements is not considered as providing ‘adequate protection’ for data transfers to the US. Further guidance from the NAIH is expected following the WP’s statement. NAIH will likely revise its prior position on data transfers outside the EU; in particular, its Recommendation on Data Transfers Abroad dated 11 November 2013, where Safe Harbour was recognised as adequate protection. In its communication on the ECJ Decision, NAIH does not address the previously transferred data. Based on informal discussions with NAIH, it appears that they will not “target” previous Safe Harbour transfers upon their own initiative, but only if they receive a complaint regarding a particular transfer.
A few hours after the publication of the ECJ Decision, the Italian DPA (Garante) issued a short statement, stressing the need for a coordinated approach of all the various national DPAs on this issue. In the light of the WP’s statement, it is likely that the Garante will repeal its Safe Harbour general authorization of 2001, which is still formally valid. Italian businesses should urgently review existing contracts with all US counterparties and resort to the alternative existing compliance mechanisms available to them, such as the EU Model Clauses.
The Dutch DPA (the “CBP”) has stated that the ECJ Decision emphasises the importance of the national data protection authorities' capacity to conduct independent research. This is essential in the current climate, where the personal data of European citizens is passed on worldwide. For the time being, the position of the CBP is in line with that of the WP.
The Portuguese DPA (Comissão Nacional de Protecção de Dados – the "CNPD") published the ECJ Decision on its website a few hours after the decision was made public. However, no public statement or guidelines have been issued by the Portuguese DPA. Following the WP’s statement, it is likely that the Portuguese DPA will issue a formal statement. The Portuguese DPA has already updated the electronic forms existing on the website and, as a result, interested parties are no longer able to apply for authorisations using the Safe Harbour mechanism. Considering the implications on the Portuguese framework that the ECJ decision is set to impose, it is also possible that in the near future the Portuguese DPA may adopt transitional measures for those authorisations in force that are using the Safe Harbour mechanism. US based companies and companies that have agreements in place with US counterparties for transferring personal data to the US are advised to review the agreements in force and identify alternative mechanisms to safeguard ample compliance, namely by adopting the model EU Model Clauses.
The Romanian DPA (the “RDPA”) has taken note of the ECJ Decision. The RDPA has not, however, positioned itself formally with respect to how it intends to approach existing transfers to US Safe Harbour data importers (which have been previously notified, but did not require prior authorisation from the RDPA), or pending or future notifications. However, in the light of the WP’s statement, all Romanian companies which effect transfers of personal data to US counterparties should urgently review the existing consent forms given by the data subjects and the contractual arrangements with such US counterparties. If the transfer relies on Safe Harbour protection, they should seek to apply other mechanisms that provide adequate protection for transfer of personal data abroad, e.g. the EU Model Clauses, Binding Corporate Rules or the explicit consent of the data subject (to be freely given and based on prior information).
A few hours after the publication of the ECJ Decision, the Slovak DPA issued a short statement, informing the general public of the contents of the ECJ Decision. It is very likely that, following the WP’s statement, the DPA will provide further guidance on the issue. Formally, the Safe Harbour concept is still a part of the Slovak Data Protection Act. However, in light of the ECJ decision, and taking into consideration the prevalence of international treaties, Slovak companies who have been relying on the Safe Harbour scheme should immediately seek alternative options of safeguarding the privacy of personal data transferred in the US (e.g. EU Model Clauses).
The Slovene Information Commissioner (the “SIC”) has posted two public statements (the first one on 25 September and the second one on 6 October), to the effect that the ECJ Decision brings hope for acceleration of the regulation of the transfer of personal data from the EU to the USA in order to give adequate protection to personal data. The SIC emphasised the importance of the ECJ Decision for those individuals involved in the negotiation of the expected Regulation on the protection of personal data, and in the discussions on the possible agreement on the free transfer of personal data between the EU and the authorities in the USA. Furthermore, whilst she emphasised the economic importance of the transfer of personal data between the EU and the USA, she said that this should not result in a lower standard of protection for the rights of the citizens of the EU. Following the above statements and the meeting of the WP 29, the SIC released another statement on 19 October providing that the SIC will reopen the proceedings to determine whether the USA provides a sufficient protection of personal data when transferring such data to organisations operating under principles of Safe Harbour. In the statement she emphasised that the transfer of personal data to the USA solely under the invalid EC Safe Harbour Decision is deemed unlawful. Options for the transfer of such data therefore remain unchanged; a company obtains the decision of the Slovene Data Protection Agency that the level of protection of personal data in the US is sufficient for an individual case or use, i.e., EU Model Clauses and Binding Corporate Rules. Furthermore, the Personal Data Protection Act also provides exceptions for individual and non-recurring transfers.
For the time being there is no official communication from the Spanish Data Protection Agency (“SDPA”) on the practical implications of the ECJ Decision. The SDPA has only issued a press release on 6 October summarizing the ECJ Decision and pointing out the future coordination actions to be carried out by the European Data Protection Authorities in order to ensure a consistent application of the Decision in all Member States. Notwithstanding this and in light of the WP’s statement, the foregoing official communication is expected in the near future and will analyse the ECJ judgment’s implications and the national steps which will be taken. It should be stressed that informal consultations to the SDPA indicate that all international data transfers to the US taking place since the publication of the ECJ Decision would have to observe the general requirements under Spanish data protection law (i.e. prior authorisation of the Director of the SDPA, or application of any of the legal exceptions such as the prior unambiguous consent of data subjects). On the other hand, in relation to international transfers to the US prior to the ECJ Decision which relied on the Safe Harbour principles, it is to be expected that the SDPA may request, on its own motion, all affected business to rectify their situation (e.g. by requesting the authorisation of the Director of the SDPA). In any event, it is advisable for Spanish businesses to urgently review their data transfers to the US and, where necessary, act on its own initiative before the SDPA by requesting the relevant authorisation.
The UK Information Commissioner’s Office (ICO) issued a holding response following the CJEU’s judgment, acknowledging the significance of the decision but making clear that businesses will have time to adapt to its consequences. Deputy ICO commissioner David Smith said: “The [judgment] means that businesses that use Safe Harbour will need to review how they ensure that data transferred to the US is transferred in line with the law. We recognise that it will take them some time to do this.”. Following the WP’s statement, the ICO will likely issue guidance for businesses on alternative compliance options. One such option is for businesses to obtain data subjects’ consent, though practically this may be difficult to administer. Binding Corporate Rules allow Transatlantic intra-group transfers of personal data but require a time-consuming DPA approval process and do not assist unrelated companies. The most practicable option for most businesses at present is the adoption of the EU Model Clauses. However, certain transfer arrangements remain outside of the existing EU Model Clauses’ scope.
Tom De Cordier
José Luís Arnaut
Blanca Cortés Fernández
Eva Cassinello Herrera