After the October 6, 2015, decision of the CJEU, it is clear that transfers of personal data may no longer take place under the Safe Harbor. This was confirmed with no ambiguity by the Article 29 Working Party (Group 29, which includes the National Data Protection Authorities (NDPAs), the European Data Protection Supervisor and the European Commission) on October 16, 2015. This said, one week after the statement of Group 29, a lot of questions remain:
- Compliance with Safe Harbor in the U.S. The fact that the Safe Harbor was cancelled by the CJEU is a question of EU law (invalidation of the EU Commission decision 2000/520). The companies self-certified under Safe Harbor still need to respect U.S. law and, therefore, even if not useful for transatlantic transfer, they are obliged under U.S. law to respect the scheme.
- Effect of the invalidation of the Safe Harbor. For purposes of justifying transfer of personal data from the EU to the U.S., the Safe Harbor was never supposed to have existed. This raises the complicated issue of retroactivity. Past transfers based solely on Safe Harbor could also be challenged. However, today it does not seem the NDPAs will place priority on controlling the past, especially in consideration of the good faith of companies that have used the Safe Harbor scheme.
- Alternatives to Safe Harbor
- Anonymisation of Personal Data when possible. When possible, in order to avoid the personal data legal regime, the principle of privacy by default should be used.
- Segregation of “EU data”. When possible, EU data should remain located in the EU, with no access from the U.S. to this data. But even when this is possible, one should keep in mind that in some cases data will need to be transferred occasionally afterward (for example, for the sake of e-discovery in the U.S.). Therefore, companies should think of alternative means of transfers from the beginning.
- Use of EU Standard Contractual Clauses (SCC). Right now, the SCC are still valid and the EU Commission decisions implementing these clauses (two sets for transfer from controller to controller, and one set for transfer from controller to processor) have not yet been challenged by subject data or NDPA. In the meantime, NDPAs are, however, entitled to investigate particular cases and to exercise their powers, explicitly recognized by the CJEU decision, to suspend or forbid transfers. Some German DPAs, and notably, the one from Schleswig-Holstein, have already declared that SCC are no longer a valid means of transfer of personal data from the EU to the U.S. The opinion of this authority is that the same shortcomings can be invoked for SCC as for Safe Harbor: the general surveillance regime that exists in the U.S. for reasons of national security, and no judicial redress in the U.S. for EU citizens.
- Binding Corporate Rules (BCR). The same reasoning applies to BCR as to SCC. One would also keep in mind that BCR, for controllers or processors, are limited to intra-group transfers.
- Derogation. The directive also allows transfers of personal data to countries that do not ensure an adequate level of protection, if some criteria are met: consent of the data subject; the transfer is necessary for the performance of a contract between the data subject and the controller; the transfer is necessary for the defense of a legal claim; etc. These exceptions are not always as easy to invoke as it seems. For example, the consent must be freely given, specific and informed. These conditions may raise issues in the EU, for example, with employees.
- Timing is Crucial: New Safe Harbor and Deadline Announced by Group 29. Since 2013, the U.S. and the EU Commission have been negotiating improvement to the now dead Safe Harbor. Group 29 has also officially declared that if, by the end of January 2016, no appropriate solution is found, NDPAs are committed to taking all necessary and appropriate actions, including enforcement actions. It is unlikely that a new Safe Harbor will be finalized and that the legal U.S. landscape will have changed (introduction of a proportionate surveillance and judicial redress for European companies) at that time. Therefore, it is of prime importance for all companies transferring data from the EU to the U.S. to review their means of transfer and reshape it if necessary. They will also have to pay constant attention to the evolution of the issue of transatlantic transfers, since EU regulators and NDPAs may also take new positions in the following days, weeks or months.