Under the Lithuanian Data Protection Law, the transfers outside EU/EEA member countries from Lithuania must be authorised by the Data Protection Inspectorate (DPI) unless one of the statutory exceptions apply (e.g. consent of the data subject; transfer is necessary for the benefit of the data subject; etc.). As the employee consent is considered insufficient, given that no other exception applies, transfers of employee data is always subject to prior authorisation by the DPI.
The Ruling of the Court of Justice of the European Union (hereinafter – the Schrems Judgement) considered that the Safe Harbor framework is invalid and this create several immediate practical consequences for businesses in Lithuania that have relied on the Safe Harbor framework to transfer personal data to the US.
First, from now on personal data transfer to the US as such and also transfer related data processing registration with the DPI will be more difficult from the legal point of view.
Before the Schrems Judgement, the adequate level of data protection could have been supported by (i) valid Safe Harbor certificate for US entities and a simple Data Transfer Agreement; or (ii) agreement between the data importer and data exporter corresponding to the Standard Contractual Clauses issued by the European Commission; or (iii) Intra-group Data Transfer Agreement (e.g. Binding Corporate Rules).
With regard to the Schrems Judgement, the first of the three options for proving the adequate level of data protection (i.e. the Safe Harbor framework) becomes non-applicable and the remaining two options have to be relied upon.
Second, for those companies which have transferred the data to the US under the Safe Harbor regime until the Schrems Judgement and strive to continue legal data transfers, there is a great deal of uncertainty regarding how quickly they should implement new measures and obtain a relevant authorisation for transferring personal data to the US.
The Lithuanian DPI has not officially commented on the Schrems Judgement and consequences thereof to the national data transfer authorisation procedures so far. It is likely that the Lithuanian DPI will wait until some guidance from the European Commission of Article 29 of the Data Protection Working Party is given before guiding data controllers on how to reframe the legal basis for data transfers to the US. However, it is highly unlikely that data controllers who relied on the legality of the Safe Harbor regime for data transfers to the US until the Schrems judgement will face any negative consequences from the DPI.
Author: Vaiva Mašidlauskienė, Associate, Sorainen law firm