What Should You Do Now?
The best general advice for companies transferring personal data from the EU to the US and seeking to minimize their compliance risk is to:
Put in place the EU Model Clauses between the relevant data exporters and data importers, prioritising key transfers first (unless and until the Article 29 Working Party or the relevant national Data Protection Authority issues different advice); and
Take a serious look at their data practices and consider the following questions:
- Are the transfers limited to affiliates within the same corporate? What types of data – employee, customer, online?
- Are the transfers to third-party vendors, including SAAS and cloud providers? In this case, relevant contract provisions should be reviewed. Ideally, from the customer’s perspective, the providers should sign up to the EU Model Clauses.
- From which EU member states is most of the data being transferred? (Some DPAs take a stricter view than others.)
- Are the transfers necessary/could they be curtailed without major effect/data could data be aggregated or anonymised in Europe before transfer? (proportionality principle)
- Do the EU data subjects involved have adequate notice that their data is being transferred to the US for processing/storage? Would they be surprised to learn this? (transparency obligation)
- Are there other grounds to legitimize the transfers? For example:
- Is the data transfer to the US necessary to perform a contract?
- Has the data subject given informed consent to the transfer?
- (Note: Reliance on consent may be problematic in the case of employees; in any event, consent may be withdrawn.)
- Are the data transfers large-scale and systematic? (Note: “transfer” includes remote access to EU data, e.g., US managers’ access to French employee data via global HR database.)
- If employee data is involved, what is the company’s relationship with the relevant Works Councils in Europe?
- To what extent do US public authorities have “indiscriminate access” to the data held by the US importer under relevant US legislation?
Review the practical steps taken by the data importer to comply with data protection requirements (e.g., guidance and training for employees handling personal data).
Keep the Article 29 Working Party announcements under review, as they will be issuing future guidance on the EU Model Clauses, BCRs, etc.
Keep under review any announcements or guidance issued by individual national Data Protection Authorities.
The Court’s Main Concerns:
EU Commission did not make the requisite finding that US legislation, in fact, “ensures an adequate level of protection for EU personal data”.
Legislation permitting public authorities to access the content of electronic communications on a generalized basis must be regarded as compromising the essence of the right to privacy that is guaranteed by the EU Charter of Fundamental Rights.
Legislation that does not allow an EU individual to pursue legal remedies to access and rectify personal data held by public authorities also is incompatible with the EU Charter.
- Negotiations relating to the (in)adequacy of the Safe Harbor framework between the US and EU have been ongoing since 2013.
- Agreement had been reached on most points, including stricter requirements and the need for tougher enforcement by US authorities.
- On 6 October 2015 EU Court of Justice ruled that the EU Commission decision approving Safe Harbor is invalid.
The Court’s Judgment has immediate effect and is not subject to appeal.
What Happens Next?
- EU Commission must now examine in detail the adequacy (or inadequacy) of new US legislation (USA Freedom Act adopted in June 2015) and other proposed measures.
- The Article 29 Working Party has issued a statement indicating that:
- The Safe Harbor arrangements are invalid and may not be relied upon.
- Negotiations to resolve the concerns identified by the CJEU should be completed by end January 2016.
- In the interim, SH-certified companies may rely on the EU Standard Clauses (Model Clauses) or Binding Corporate Rules (BCRs).
- The EU Model Clauses and BCRs will also be reviewed in light of the Court’s decision and the issues identified with regard to Safe Harbor.