Various stakeholders have now commented on the CJEU ruling on data exports to the USA.
What’s the issue?
Last month, we reported on the shock decision of the Court of Justice of the European Union (CJEU), which effectively held that personal data exported to the USA under Safe Harbor could no longer be presumed to be adequately protected.
What’s the development?
The CJEU ruling has caused widespread concern, commercially, legally and politically. Crucially, it left a great deal of uncertainty, not only over data previously being transferred under Safe Harbor, but about what to do next given the question mark over other data export solutions like Binding Corporate Rules (BCRs) and Model Contract Clauses.
The Article 29 Working Party (WP), individual Member State regulators and the European Commission, have all now commented on the effect of the CJEU judgment. The WP confirms that transfers from the EU to the US can no longer be based on the Safe Harbor Decision 2000/520 (Decision). It goes on to say given that the fundamental issue was “massive and indiscriminate surveillance”, there is a need to assess the impact of the CJEU ruling on other data transfer solutions. At the moment though, these transfer solutions are still valid. The WP committed regulators to enforcing the effect of the judgment after 31 January 2016 if no alternative solution is found by then.
The WP called for a coherent approach from Member State regulators but we can see by the responses issued by the UK’s ICO and the German regulators, that this is far from being the case. The ICO, while recognising the effect of the ruling on Safe Harbor and the resulting question mark over other data transfer solutions, has taken a pragmatic approach. His advice is “don’t’ panic”. He urges organisations to review their data export solutions but not to rush into alternatives to Safe Harbor until there is more clarity, particularly over the likelihood of a new Safe Harbor agreement (popularly referred to as Safe Harbor 2.0). The ICO will consider individual complaints but has no enforcement plans above and beyond the usual ones. The German regulators have, however, taken a harsher stance with no enforcement holiday, no consideration of new BCRs and a reminder that consent will only work in exceptional circumstances.
The EC has also released a (not particularly informative) Communication. It is clearly trying to negotiate Safe Harbor 2.0 but warns this will take a minimum of three months. It claims that progress has been made, particularly with regard to oversight but there is no sign that the USAwill make any concessions on the issue of surveillance for national security purposes.
What does this mean for you?
If you have been relying on Safe Harbor to transfer or receive EU personal data, these are uncertain times. An alternative transfer solution is definitely needed but, as the ICO comments, we are now in a period of some uncertainty which is made all the more complicated by the pending General Data Protection Regulation and the possibility of Safe Harbor 2.0. Possibly the safest means of compliance is relocating data to the EU but that is not always a practical solution and is unlikely to eliminate data transfers altogether, even if it were to reduce them significantly. While some regulators take the view that the Model Contract Clauses will need to change to reflect the CJEU judgment, these are still likely to be the best interim solution and the easiest to put in place before the WP’s deadline of 31 January 2016. Despite the ICO’s advice not to rush into alternative solutions, doing nothing is probably not the best course of action even though there is currently no bullet proof long term solution to the issue.
Article 29 Working Party views
The Article 29 Working Party (WP), comprised of EU regulators, published its views on the ruling.
Some key elements of the WP statement include:
- Transfers from the EU to the US can no longer be based on the Safe Harbor Decision(Commission Decision 2000/520/EC). Any transfers taking place after the CJEU judgment that relied on Safe Harbor are now unlawful.
- European data protection authorities must have a ‘robust, collective and common position‘ on the CJEU judgment.
- A fundamental component of the CJEU ruling was the subject of ‘massive and indiscriminate’ surveillance. The WP reiterates that it has repeatedly stated that such surveillance is not compatible with EU law and that where state authorities access to information goes beyond what is necessary in a democratic society, such countries and territories will not be deemed safe places for transfers of EU data. Further the CJEU ruling requires that any adequacy decision made by the Commission must be based on a wide analysis of a third country’s ‘domestic laws and international commitments’.
- Member states and European bodies must urgently discuss with the US authorities to achieve a ‘political, legal and technical solution’ to enable transfers that ‘respect fundamental rights’. The WP suggests that these solutions could be found through intergovernmental agreements to provide enhanced guarantees to EU data subjects and possibly as a result of the current negotiations on a new Safe Harbor (i.e. Safe Harbor II).
- The impact of the CJEU on other transfer solutions will continue to be assessed by the WP. During such period the EU data protection authorities will consider that the Standard Contractual Clauses and Binding Corporate Rules can still be used. However, member state data protection authorities will still have the authority to look behind those mechanisms ‘for instance on the basis of complaints’ and where necessary ‘exercise their powers to protect EU data subjects’.
- If by the end of January 2016 no further solution is found, between EU bodies and the US authorities (and depending on the WP assessment of the other transfer tools), EU data protection authorities ‘are committed’ to take action ‘which may include co-ordinated enforcement’.
- Businesses should assess the risks they take when transferring data and should consider implementing ‘legal and technical solutions in a timely manner to mitigate those risks’
The statement is useful for organisations grappling with the post Safe Harbor world, in that it confirms the other transfer solutions are valid (for now) and the onus is now on the negotiating bodies of the EU and US to deliver appropriate solutions for transfers to the US.
ICO statement on Safe Harbor ruling
Following publication of the WP statement, David Smith, Deputy Information Commissioner, published a statement outlining the ICO’s approach. The point is made that other adequacy decisions made by the European Commission still stand and can be relied on by businesses for the time being. However, the CJEU ruling inevitably casts doubt on the future of these other mechanisms because data transferred under them can potentially be accessed by intelligence services. The ICO says political legal and technical solutions are required and these depend on Member States and EU institutions cooperating with the US authorities.
The ICO advises against panicking and rushing into other compliance mechanisms which “may turn out to be less than ideal”. The ICO also cautions against relying on consent as that does not necessarily protect the data any more effectively than a transfer under Safe Harbor. TheICO advises organisations to consider what personal data they transfer outside the EU and what arrangements have been made to protect the data and whether they are adequate. However, there should be no rush to change, especially as there is a possibility that a ‘Safe Harbor 2.0’ may resolve the issue.
The ICO says UK businesses have the option of making their own adequacy assessments and points to its guidance on data transfers to assist with this. While the ICO says it will be updating the guidance, it also underlines that it is, “for the most part” still valid.
The ICO states that it will not be rushing to use its enforcement powers, particularly as there is no new immediate threat. It will be considering individual complaints but will be sticking to its published enforcement criteria and not taking rushed action during a period of uncertainty.
German regulators’ response
German data protection regulators published a consolidated statement on their approach following the Safe Harbor ruling. They take a predictably strict position although it remains to be seen whether this will be followed up with enforcement. In summary, they say:
- DPAs will prohibit any data transfers still based on Safe Harbor that come to their knowledge without any grace period;
- where Model Clauses are used, DPAs will analyse them especially in accordance with the requirements stated under no. 94 and 95 of the CJEU decision;
- German DPAs will not authorise any new BCRs or ad-hoc contracts for the time being;
- consent, especially within an employment relationship, will only be accepted in exceptional cases;
- the model clauses need to be amended in accordance with the requirements set out by the CJEU.
EC publishes guidance on transatlantic data transfers following the Schrems ruling
The European Commission has issued a Communication dealing with the aftermath of theCJEU’s Safe Harbor ruling. It underlines that data transfers cannot be based on the now defunct Safe Harbor Decision and that the alternative mechanisms of BCRs, Model Clauses and derogations should be relied on instead, while warning that the Article 29 Working Party is continuing to assess their validity.
The Communication goes on to discuss a new Safe Harbor agreement and the status of current negotiations. Progress has been made on stronger oversight by the Department of Commerce and the Federal Trade Commission together with sanctions for non-compliance. European DPAs are also expected to play a role in the system. That being said, the Commission is expecting negotiations to take at least another three months.
Next steps in Schrems v Facebook
The High Court of Ireland has ordered the Irish Data Protection Commissioner to investigate the complaint against Facebook made by Max Schrems in relation to the export of his personal data to the USA.