As discussed in our previous posts, after the European Court of Justice decision in the Schrems case, transfers of personal data from the EU to the United States on the sole basis of the EU-US Safe Harbor (i.e. the principles and FAQ issued by the U.S. Department of Commerce in July 2000 that were the subject of an adequacy decision by the European Commission) are no longer legal.
Safe Harbor is used by more than 4,000 companies, including significant social media players, facilitating the flows of data between Europe and the United States; its invalidation has potentially serious economic consequences. Here are some thoughts for companies considering alternatives to the Safe Harbor.
Drawbacks of Consent
In theory, companies can lawfully transfer personal data with the specific and informed consent of the persons concerned. But obtaining specific consent for existing databases containing data of thousands of users can be burdensome; consent can be refused; and consent can be revoked. And with the notable exceptions (e.g. Spain), many regulators consider that consent from employees is generally not valid.
Drawbacks of BCRs
BCRs are not a short-term option, as they require a rather long and complex process of certification. BCRs are typically the (almost) final destination of a long privacy compliance journey implicating a fairly sophisticated compliance structure that not all companies can afford, and that in any case cannot be improvised.
The Standard Model Clauses are accordingly and in the short-term the more time -and resource- efficient tool for transferring personal data to the US. In this respect, as discussed during our latest webinar on Nov. 30 (see here a link to the recording), there are some pros and cons:
- Quick and efficient
- Standard template
- May be used in relation to third parties which are not members of the group
- Low cost
- No flexibility on essential terms
- May also come under scrutiny of the DPAs in the near future
- Do not address all transfer patterns
- Additional legal basis (e.g., consent) may be required in some EU Member States
- Acceptance/confirmation/approval procedure in some EU Member States
That said, the Schrems decision potentially affects the underlying legal rationale for Model Clauses (and BCRs) because US public authorities are entitled to engage in surveillance, on grounds of national security, public interest and law enforcement, of personal data transferred via Model Clauses and BCRs. The G29 has already indicated that it is analyzing the impact of Schrems on these transfer mechanisms. Ultimately, what is needed is a wider solution at a political level. Within this context the negotiation between the EU and the United States regarding the transfer of data in connection with law enforcement should play a fundamental role. The recent and dramatic events that hit France (and Europe) may eventually facilitate a political rapprochement from both sides. Should this be the case, it would be a step closer to recognition that the United States is a country that provides adequate (personal data) protection.