In the aftermath of the recent CJEU judgement invalidating the Safe Harbor framework, businesses are now looking to address the consequences of the judgement. This FAQ aims to answer some of the most frequent questions raised by US organisations on this issue.
1. What is it all about?
The Safe Harbor framework is a voluntary set of principles which has been developed by the US and the EU in 2000 to overcome the data transfer restrictions set out in the Data Protection Directive 95/46/EC. In its Decision 2000/250, the EU Commission found that data transferred to US Safe Harbor certified companies are afforded an adequate level of protection for the purpose of Directive 95/46/EC, meaning that these transfers are lawful.
On 6 October 2015, the Court of Justice of the European Union declared the Commission’s Safe Harbor decision to be invalid, essentially in light of US untargeted access to data, insufficient right of redress for EU citizens and restrictive powers granted to EU data protection authorities.
2. What categories of US businesses are impacted by the judgement?
The ruling impacts US-based service providers (e.g. cloud providers, online service providers) operating on the EU market as well as US companies relying on intra-group data flows from the EU to the extent that these organisations rely on their Safe Harbor certification to receive EU personal data.
3. What does it mean for data transfers to the US?
Data transfers to the US carried out after 6 October 2015 and which are solely reliant on the Safe Harbor certification of the US recipient entity (i.e. without any other data transfer arrangement in place) are likely to be unlawful. The judgement does not invalidate all forms of data transfers to the US, and other data transfer solutions may still be relied upon (see Q. 10).
As an indirect consequence, it is possible that a higher level of scrutiny will be applied to US data transfers by some national regulators. For instance, German data protection authorities have announced that they will not issue any new authorisation for data transfers to the US. The Swiss and Israeli regulators have also declared US data transfers made in reliance of the Safe Harbor framework to be unlawful.
4. Does the judgement affect existing Safe Harbor certifications?
Existing commitments that US organisations have made to the Safe Harbor principles are still legally binding and enforceable by the Federal Trade Commission. However, as a result of the judgement, these certifications no longer form an adequate basis for data transfers to the US.
5. Has practical guidance been issued by the relevant EU authorities?
The group of EU data protection authorities, the so-called “Article 29 Working Party”, issued a statement on 16 October 2015. Unfortunately this statement does not provide much practical guidance, except that it clarifies that Binding Corporate Rules and Model Clauses are still valid data transfer tools subject to further analysis by the Working Party.
Additional responses are expected to be delivered at EU and national level over the coming weeks, and therefore future developments should be closely monitored. The EU Commission has stated that it will issue clear guidance to ensure a uniform response from national regulators and to provide legal certainty for organisations. National regulators are also expected to release their own guidelines about next steps.
6. What is the risk of enforcement action?
The Working Party has granted a three month grace period for companies to put their house in order so there should not be any regulatory action before February 2016. The Working Party has stated that if by the end of January no appropriate solution has been found with the US authorities, and depending on the outcome of its analysis of the other data transfer tools, EU regulators could start conducting coordinated enforcement action. In addition, the Working Party has underlined that national regulators retain the power to investigate organisations independently in accordance with their national laws.
It is nonetheless difficult to determine with certainty how and when enforcement action will be carried out in practice. For instance, it is unclear which criteria the regulators would use to coordinate their regulatory activities. What is certain is that enforcement action may only be carried out against companies acting as a data controller, and therefore service providers should not be in the regulators’ radar to the extent that they qualify as a data processor.
7. Is immediate action required?
In light of the Working Party’s statement (see Q.5 and Q.6), it is clear that businesses should start looking into the range of available alternatives in order to come up with a plan of action. That said, companies should not rush into anything until they have carefully considered their priorities and the options offered to them. The key here is to remain pro-active in order to demonstrate to the regulators that some remediation steps have been taken to address the consequences of the judgement.
8. What about a “Safe Harbor 2.0”?
The EU and the US have been working on a new Safe Harbor framework since 2013. Much progress has been made so far, however national security derogations have been a sticking point and the timeline of the negotiations is not definite. As a result, it is uncertain when we are going to see a new framework.
In this context, companies adopting a ‘passive approach’ until a Safe Harbor 2.0 is agreed may run the risk of losing customer trust and facing enforcement action if no framework is finalised by the end of January 2016 (see Q.6).
9. What compliance steps should businesses take?
Businesses are advised to take the following steps to build their own “plan B”:
- Map out EU-US data flows where Safe Harbor is currently relied upon and identify key features (e.g. data categories, purpose of the transfer).
- Prioritise data flows depending on business needs and data flows’ key features.
- Review alternative data transfer options and roll-out the most appropriate one for your organisation.
- Check whether any additional local requirements need to be satisfied (e.g. regulatory filing or authorisation, individual privacy notices).
- Document all steps that have been taken.
- Keep abreast of the latest developments on the matter.
10. What are the relevant data transfer options for US organisations? And what are the pros and cons?
There is no “one size fits all” solution and so businesses should cautiously explore the benefits and risks of each route to determine which one is most suitable for them.
- Standard Model Clauses:
- Pros: straightforward, quick, best short-term solution
- Cons: burdensome in some EU countries (regulatory filing), limited contractual flexibility, not suitable for processor-to-processor transfers, not a realistic option when contracting directly with EU individual customers.
- Binding Corporate Rules
- Pros: valuable long-term solution (formally recognised by most EU regulators and likely to be endorsed by the future General Data Protection Regulation)
- Cons: lengthy, complex and expensive application process
- EU data centres
- Pros: no scrutiny from EU regulators
- Cons: cost and time required for implementation, not helpful if data needs to be further transferred to the US (e.g. remote support)