Developments since the Court of Justice of the European Union (“CJEU”) ruled Safe Harbor to be invalid (the “Ruling”).
On 6 October 2015 the CJEU published its Ruling on the case of Maximillian Schrems v Data Protection Commissioner (the “Case”), declaring the decision by the European Commission (the “Commission”) on the adequacy of US Safe Harbor, to be invalid. In the wake of the Ruling:
- a number of data protection authorities (“DPAs”) expressed their own opinion on the implications of the Ruling – many taking a considered and practical stance, while others (namely some of the German DPAs) attempted to muddy the water further by applying the same logic used by the CJEU in the Ruling, to question the validity of other transfer mechanisms such as EU Model Clause (“Model Clauses”) and Binding Corporate Rules (“BCRs”); and
- the Article 29 Working Party (the “Working Party”), on 19 October 2015, quietly released a brief statement (the “Statement”) to DPAs, explaining how DPAs should take enforcement action (or not as the case my be) against businesses continuing to rely solely on Safe Harbor for the transfer of personal data. The Statement also set out a time limit for the implementation of Safe Harbor 2.0 and noted that the Working party would be considering the validity of other transfer mechanisms in the meantime.
This briefing summarises the above developments and helps to answer the question still being asked by business in both the EU and the US: “what do we do now?!”
For a detailed summary of the Ruling (including the rationale given by CJEU in making its decision) please see our earlier briefing, which can be found here.
What are the DPAs saying?
UK – Information Commissioner’s Office (“ICO”)
On the date of the Ruling (6 October), the ICO made a statement in which it acknowledged that it would take some time for businesses to put in place alternative mechanisms where it had previously only relied on Safe Harbor. It also suggested a co-ordinated effort among DPAs would be appropriate.
France - Commission Nationale de l’Informatique et des Libertés (“CNIL”)
The CNIL has now updated its website to state that transfers of personal data on the basis of Safe Harbor is no longer possible. However, it too stressed the need for co-operation between DPAs.
Spain - Agencia Española de Protección de Datos (“AEPD”)
Similarly, the AEPD also placed the emphasis on co-ordination between DPAs, both in terms of analysing the Ruling and how to apply it consistently throughout Europe.
In contrast, some of the German DPAs (there are several, each representing a different region) have focused less on achieving co-ordinated, practical guidance for businesses, and more on the technical implications of the Ruling, specifically in relation to Model Clauses and BCRs.
The Independent Centre for Privacy Protection in the state of Schleswig-Holstein has said that in its view, EU-US data transfers facilitated by the use of Model Clauses fail to comply with EU law. However this authority is known for its conservative view and the DPA for Hamburg has stated that Model Clauses are a viable alternative for the time being.
The Working Party Statement
In its Statement, the Working Party confirmed that reliance solely on Safe Harbor is now unlawful and addressed some of the above points by saying that:
- Model Clauses and BCRs can be relied on as an alternative to Safe Harbor, for now;
- the Working Party will, however, review the validity of these transfer mechanisms over the next couple of months – it noted that the mass surveillance by US authorities is a breach of EU fundamental rights (this being the foundation of the CJEU’s decision) and that reliance on Model Clauses and BCRs does not solve this wider issue;
- EU and US authorities should continue their negotiations in relation to a new version of Safe Harbor (“Safe Harbor 2.0”) which does solve these wider issues – presumably by implementation of new laws, restrictions and/or regulatory oversights in the US;
- DPAs should wait until the end of January 2016 to issue any enforcement against businesses that have not put in place alternatives to Safe Harbor; and
- after the end of January 2016, and dependent on the findings of the review by the Working Party on the validity of Model Clauses and BCRs, DPAs are encouraged to take all necessary steps to investigate complaints in relation to reliance on such transfer mechanisms and take enforcement action as necessary, including co-ordinated enforcement between DPAs where relevant.
However, the Statement was very short and did not offer much in the way of detail. For example, there is no guidance as to what DPAs should do during the period up to the end of January, if it receives a complaint in relation to the application Model Clauses or BCRs. According to the Ruling such a DPA would be required to investigate and take action according to its findings. It will therefore be interesting to see whether any such complaints are made.
Ultimately, it appears the Working Party hopes its Statement will act as a catalyst to accelerating negotiations with the US in relation to Safe Harbor 2.0. However, it seems unlikely that the US would be able to (or indeed, willing to) implement new laws and/or regulations before February 2016.
So, what should you do?
As a first step, those relying on Safe Harbor should implement their ‘Plan B’ and ensure adequate protection by entering into Model Clauses or (where transfers are made internally within the group) consider Binding Corporate Rules. Although, careful consideration will need to be given as to how to approach transfers to vendors and whether these contractual alternatives will be workable. For more information on Model Clauses please see our separate briefing note, titled ‘Model Clauses and Data Transfers – What you need to know in summary’.
Other options? Reliance on consent and other derogations from the transfer prohibition is unlikely to provide solutions for large scale regular transfers. By their nature these derogations are supposed to deal with specific exceptions to what is otherwise seen as a fundamental right to protection. Consent would have to be very specific, informed and freely given. So “opt in”, with the specific data and transfer described as well as the impact of the loss of protection in a way the reader will understand. Not so easy to achieve as it might appear on first reading.
Although it looks like businesses have until the end of January to get this sorted, we would suggest immediate steps be taken as implementation can often take longer than expected.
In the coming year these alternative mechanisms may also be held invalid and/or there may be Safe Harbor 2.0 to rely on – but for now these issues do not exist and businesses should ensure compliance with the law as it exists today.
Steps to take now include assessing:
- What personal data flows does your company have to the US?
- Which is the largest in terms of volume of data transferred? Start with these.
- Which involve sensitive details e.g. on health? These are high risk, so consider these too in priority.
- Which of these data flows were made in reliance on Safe Harbor?
- Who were the transfers of data to? Consider internal group transfers and those to third parties such as vendors.
- Do these Safe Harbor based arrangements have contracts which already include completed Model Clauses?
- If not, do these contracts give you the right to insist on Model Clauses if Safe Harbor fails?
- Are discussions in place with the other party for Model Clauses, where not already in place?
- Have you dealt with local data exporter transfer filings / approval requirements and allowed time for their completion before January 2016?
- For future contracts and data flows, are your internal contracts and/or procurement team up to date on the changes, ensuring no future reliance only on the current Safe Harbor framework?