Under the Estonian Personal Data Protection Act, transfers to Safe Harbour certified entities in the US took place as if they were transfers within the EU/EEA. There was no requirement to obtain a prior authorisation from the Estonian Data Protection Inspectorate (“Inspectorate”) for such transfers.
The ruling that the Safe Harbour framework is invalid has several immediate practical consequences for businesses in Estonia that have relied on the Safe Harbour framework to transfer personal data to the US.
First, from now on a prior authorisation from the Inspectorate has to be obtained to transfer personal data to the US. The data exporter must demonstrate that it has a valid legal basis to process the personal data and that a sufficient level of data protection is guaranteed in the US for that specific case of data transfer. To demonstrate to the Inspectorate that a sufficient level of data protection is guaranteed the data exporter can generally rely on data transfer agreements that are based on EU Model Contracts or Binding Corporate Rules.
No prior authorisation is needed from the Inspectorate only:
- if the data subject has provided a valid consent for the specific transfer to take place;
- where the transfer is necessary for the protection of the life, health or freedom of the data subject or another person if obtaining the consent of the data subject is impossible;
- if a third person requests information obtained or created in the process of performance of public duties and the data requested do not contain any sensitive personal data and access to it has not been restricted for any other reasons.
Second, for those companies that, until the Schrems judgment, have transferred data to the US under the Safe Harbour regime and urgently need to continue such data transfers legally, there is a great deal of uncertainty regarding how quickly they should implement new measures and obtain a relevant authorisation for transferring personal data to the US.
On one hand, it is clear that the Safe Harbour principles can no longer be relied upon and the data exporters have to implement new measures for the transfers, but on the other hand it is also unlikely that the Inspectorate will now direct its resources into active supervision over data controllers who are likely transferring personal data to the US. There is no official guidance available from the Inspectorate on this issue. It is expected that the Inspectorate will soon update their non-binding guidelines on data transfers.
Author: Mikhel Miidla, Senior Associate, Sorainen law firm