We reported previously (see here and here), on the recent striking down by the Court of Justice of the European Union (CJEU) of the European Commission’s decision on Safe Harbor on the basis that the Safe Harbor framework does not sufficiently protect the fundamental rights of EU citizens.
On foot of the judgment, the Commission has published guidance in the form of a Communication on the transfer of personal data from the EU to the US. The Communication notes that post-Schrems, negotiations with the US on a new arrangement for transatlantic data transfers have been “stepped up” and provides non-binding guidance to data controllers on the alternative bases for legitimising transfers to the US. This guidance is, however, without prejudice to the powers of national data protection authorities who must examine the lawfulness of such transfers with “full independence”.
The Communication notes that businesses can continue to rely on a number of alternative tools when undertaking transfers to third countries deemed not to provide a sufficient level of protection. It reiterates the Article 29 Working Party confirmation (see here) that Standard Contractual Clauses (SCCs) and Binding Corporate Rules can continue to be used to legitimise transfers up to the end of January 2016 at which point national data protection authorities will take all necessary and appropriate enforcement action.
On SCCs, the Communication outlines that though these have been approved by the Commission, the use of SCCs does not preclude examination of such clauses by national authorities in line with the requirements set out in Schrems. If there is any doubt in this regard, the relevant authority should refer the matter to a national court, which can in turn refer the matter to the CJEU.
Regardless of the alternative transfer solution relied upon, the Communication points out two important conditions: that all personal data must be collected and processed in a manner which complies with the legal requirements of fair processing and that, in the absence of a Commission finding on adequacy, the responsibility is on data controllers to ensure data transfers take place with sufficient safeguards.
Letter from NGOs
The Safe Harbor framework has faced scrutiny for some time now. The Commission noted in a November 2013 Communication that "there has been a growing concern among some data protection authorities in the EU about data transfers under the current…scheme.”
As well as listing some of the Framework’s major problems, the Commission's 2013 Communication went on to make 13 recommendations for improving Safe Harbor. However, these were formulated before the recent CJEU judgment. According to an open letter written recently by a number of NGOs in the area, “viewed in light of the Schrems decision as well as the experience of consumer organisations on both sides of the Atlantic, it is clear that these principles will do little to reestablish trust for consumers."
More problematically, the human rights and privacy organisations note that "a revised Safe Harbor framework similar to the earlier…framework will almost certainly be found invalid by the national data protection agencies and ultimately by the CJEU." This is because the reasons given by the CJEU for striking down the framework would also apply to its replacement.
What is needed, the NGOs suggest, is for privacy laws themselves to be updated in both the EU and the US in light of the judgment. The letter goes on to offer its own 13 recommendation for how this might be done, which call for the end of mass surveillance by intelligence agencies, the establishment and modernisation of legal frameworks that protect fundamental rights and increased transparency and accountability for organisations which collect and use personal data, amongst other things.
Businesses who had previously relied on Safe Harbor in respect of international data transfers (whether directly or indirectly) need to urgently implement an alternative solution while monitoring the on-going situation as it develops.