Whilst the message is "don’t panic", we have seen an unprecedented amount of disruption in the law around exporting personal data outside the EEA.
Under European data protection law, there is a general prohibition on the transfer of data outside the EEA unless adequate methods of protection are ensured. The Safe Harbor Decision (Commission Decision 2000/520/EC) provided for one such method, the Safe Harbor scheme, in relation to the transfer of personal data to the US. However, the recent judgment of the Court of Justice of the European Union (CJEU), declared the Safe Harbor Decision is invalid, has propelled not only Safe Harbor but also other data export mechanisms into the spotlight. In other words, it's time to get to grips with data export solutions.
The CJEU Decision has meant that any data transfers which relied on the Safe Harbor Decision are now unlawful. Consequently, companies must now consider the other mechanisms available to ensure the adequate protection of any data transferred outside the EEA which essentially comprises of (i) data subject consent to the transfer, (ii) standard contractual clauses in place between relevant data importer and exporter and (iii) Binding Corporate Rules.
Against this recent development, the current European data protection landscape is set to be overhauled by the new General Data Protection Regulation (GDPR), currently in draft form but expected to be finalised next year. Importantly, the GDPR does not change the general prohibition on personal being exported outside of the EEA unless adequate methods of protection are ensured.
Given this, adtech companies must look at data export solutions not only to the US but also outside of the EEA and both internally and externally; (i) organisations need to look at their own compliance and take steps to ensure they are fulfilling their obligations as the data controller, being the entity that determines the purposes for which and the manner in which personal data is processed and (ii) organisations need to be ready to deal with requests from clients to discuss and put in place mechanisms to ensure adequate protection is afforded to any data export outside the EEA. It may also be useful to produce materials or notices to explain to clients the steps taken to ensure such protection and where necessary to detail the data collected and data flow to convey where, if any, data export occurs outside the EEA. For the adtech industry, with the flow of data often happening in real time, it will also be important to pin point exactly where data export occurs, especially if exporting data outside the EEA to the US as the 'catch-all' net of Safe Harbor is now removed. In evaluating data export compliance now, adtech businesses will place themselves in a good position to deal with the GDPR when it comes into effect.
Below, we consider the recent CJEU developments and the various drafts of the GDPR from the European Council (Council), European Commission (Commission) and European Parliament (Parliament).
Compliance post Safe Harbor
Concerns about the Safe Harbor Principles are not new; the Commission and US authorities have been engaged in discussions reviewing Safe Harbor for a couple of years and changes were expected ahead of the recent CJEU judgment, with a more privacy robust mechanism already anticipated in the not so distant future. However, the CJEU ruling was an exceptional development.
The impact of the CJEU ruling has been that Safe Harbor Principles are no longer presumed to afford adequate protection to personal data transfers to the US and that Member State data protection authorities are no longer bound by such principles to allow the transfer of personal data to the US Also, importantly, any exports made to the US based on the Safe Harbor Principles will potentially be subject to an investigation from the applicable data protection authority and to possible enforcement action. What's more, Safe Harbor provided an almost umbrella protection, suitable for those organisations that are based in the US with no European entity, as prevalent in the adtech industry. With Safe Harbor gone, adtech organisations exporting European personal data to or European personal data accessed from the US, must consider and evaluate each point of data export, which can be a complicated exercise with multiple parties engaged.
The Article 29 Working Party (WP), which is an organisation comprised of EU regulators, recently published its views on the CJEU ruling. The WP has urged member states, European bodies and US authorities to achieve a 'political, legal and technical solution' to enable transfers that 'respect fundamental rights'. The WP suggests that these solutions could be found through intergovernmental agreements to provide enhanced guarantees to EU data subjects and possibly as a result of the current negotiations on a new Safe Harbor (i.e. Safe Harbor II). If by the end of January 2016 no further solution is found between EU bodies and the US authorities (and depending on the WP assessment of the other transfer tools), EU data protection authorities 'are committed' to take action 'which may include co-ordinated enforcement'. In the meantime, the WP will continue to assess, the impact of the CJEU on other transfer solutions. During such period the EU data protection authorities will consider that the Standard Contractual Clauses and Binding Corporate Rules can still be used. However, member state data protection authorities will still have the authority to look behind those mechanisms 'for instance on the basis of complaints' and where necessary 'exercise their powers to protect EU data subjects'. Read our full summary.
The UK regulator, the Information Commissioner's Office (ICO), has commented on the CJEU ruling to emphasise that organisations must carefully consider their obligations and ensure that data transferred to the US is compliant with the law. Further, organisations should be aware of the full suite of mechanisms available to ensure adequate protection of personal data when transferring to a third country. You can hear more of the Information Commissioner's views from our recent webinar.
While it remains to be seen exactly how Member State data protection authorities will apply the CJEU ruling, it’s clear that adtech organisations need to act fast to review their compliance mechanisms for data transfers to the US (and by extension to all third countries) and ensure that these are in line with the law. adtech organisations must also be prepared to ask and answer penetrating questions about personal data exports outside the EEA. In particular, in Europe the level of scrutiny of data that adtech services are likely to collect will be high, for example, is the IP address collected truncated? Is this paired with any other data? How could a data subject receive the data which an adtech company holds on them, would this be pulled from various country operations? Consequently, it's important for adtech businesses to address data export solutions quickly to ensure they are well versed in any client requests or queries and those that may come in due course from the Regulators.
Key points from the drafts of the GDPR from the Council, Commission and Parliament in relation to data exports.
General Principle for transfers (Article 40)
Although the Council's draft merges Article 40 and 41 (see below) all three organisations agree that a transfer of personal data to a third country or international organisations may only take place if the conditions as set out in the GDPR are complied with (including for onward transfers). As such, the principle of the general prohibition on personal data being transferred outside the EU without ensuring adequate protection is maintained.
Commission finding of adequacy (Article 41)
There are some common points of agreement among the three drafts, for example, (and as set out in current law) the Council, Commission andParliament proposals all agree that personal data may be transferred to a third country pursuant to a Commission finding of adequacy. Further, Article 41 extends the current European Data Protection Directive 95/46/EC (Directive) so that this provides that the Commission may also deem (i) a territory, (ii) an international organisation or (iii) a sector within a third country to provide adequate protection. However, there are small but significant differences between the three drafts:
- the Council provides that a sector in a third country which the Commission has decided ensures adequate protection may be any specific sector while the Commission and Parliament state that this will be a processing sector;
- the Commission and Council provide that any finding of adequacy shall not require further authorisation whereas the Parliament more carefully proposes no specific authorisation will be needed;
- the Parliament asserts that the Commission, when adopting delegated acts pursuant to Article 86 (deeming adequate protection), shall provide for a sunset clause in the case of an approved processing sector in a third country meaning that the act shall cease to have effect after a certain date;
- in assessing third country adequacy the Parliament and Council are aligned in stating that the relevant supervisory authority should have powers to impose sanctions while the Commission more moderately asserts that such authority should be responsible for ensuring compliance with data protection rules; and
- the Council draft provides that where the Commission decides that a third country, territory, specified sector within a third country, or international organisation no longer ensures adequate protection, a possible remedy feature shall subsist so that the Commission shall consult with the applicable third country or international organisation with a view to resolving the situation.
It is clear that the provisions of this Article aim to extend circumstances where the Commission may deem adequacy and, in some ways, although not radically so, reflect a more modern and flexible approach. An example of this is the inclusion in the Council's draft that any specific sector, and not just processing sector, may be deemed to be adequate by the Commission. Its reasonbly unlikely that the adtech industry, given the type of processing operations, would be classed as such industry although the extent to which these may be extended or restricted in the final draft remains to be seen. In addition, whether or not adequacy rulings will require further or specific authorisations, especially given the recent CJEU ruling on the Commission's Safe Harbor decision, will be particularly interesting. adtech organisations should pay particular attention to this in relation to where their current operations are based and look to local regulator guidance to understand the types data processing activities which will be subject to stricter interpretations to ensure compliance at all times.
Appropriate safeguards (Article 42)
By way of background, current European data protection law places legal obligations only on the data controller. However, in the GDPR, data processors will also be subject to obligations. In this way the net for compliance is cast further and adtech companies must consider how this may impact their own obligations. In the event that the Commission has not delivered an adequacy finding pursuant to Article 41, a controller or processor may transfer personal data to a third country or international organisation only where the controller or processor has adduced appropriate safeguards. The Council is clear that such safeguards should also cover onward transfers.
Click here to view the table.
The Commission and Council agree that where a Member State has authorised a transfer or a set of transfers of personal data to a third country which does not ensure an adequate level of protection but where the controller adduces adequate protection (pursuant to Article 26(2) of the current Directive, such authorisation shall remain valid until amended replaced or repealed by that supervisory authority. Yet, the Parliament suggests that such authorisation would remain valid only until two years after the GDPR comes into force unless amended replaced or repealed by that supervisory authority before the end of such two year period.
Binding Corporate Rules (BCRs) (Article 43)
All three drafts provide for legal recognition of BCRs for the first time in European data protection law. Importantly, and in an attempt to streamline the current BCR approval process, the drafts also set out that BCRs will be approved by the supervisory authority and in accordance with the consistency mechanism. BCRs are often more suitable for larger more developed organisations; adtech companies at this stage may look to BCRs to provide such data export solution. Significantly, the definitions of the 'corporate group' that can use BCRs vary slightly in the current drafts of the GDPR:
Click here to view the table.
Transfers or disclosure not authorised by Union law (Article 43a) (Parliament only)
The Parliament has suggested the inclusion of a new Article 43a which states that no judgement of a court or tribunal and no decision of an administrative authority of a third country requiring a controller or processor to disclose personal data shall be recognised or be enforceable in any manner without prejudice to a mutual legal assistance treaty or an international agreement in force between the third country asking and Member State. In a post Snowden era, it will be interesting to see how this materialises in the final draft.
Derogations (Article 44)
Article 44 sets out the possible derogations from the general prohibition that data must not be transferred outside of Europe unless adequately protected which essentially mirror the existing derogations in the Directive:
- where the data subject has consented to the transfer and been informed of the risks of such transfers; or
- the transfer is necessary for the performance of a contract between the data subject and controller or the implementation of the data subject's request; or
- the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person; or
- the transfer is necessary for important grounds of public interest; or
- the transfer is necessary for the establishment, exercise or defence of legal claims; or
- the transfer is necessary to protect the vital interest of the data subject or another person, where the data subject is physically or legally incapable of giving consent; or
- the transfer is made from a public register intended to provide information to the public and which is open to consultation either by the public in general or to any person who can demonstrate legitimate interest.
The Commission and Council also permit a derogation where the scale is not large or frequent, and the transfer is necessary for the purposes of the legitimate interests pursued by the controller (the Commission draft only also references processors) has assessed all the circumstances surrounding the data transfer operation and based on this assessment adduced appropriate safeguards with respect to the protection of personal data. Interestingly, the Council's draft adds that the legitimate interests of the controller are not overridden by the interests or rights and freedoms of the data subject.
The derogations, at first glance can seem as obvious resolutions for some companies, however, in practice, they're a high threshold to meet. Moreover, in the adtech industry, some derogations would simply not be feasible, for example, the application of data subject consent which in itself is notoriously hard to corroborate anyway, would be near impossible where information is automatically collected from a data subject before they could have an opportunity to consent.
International co–operation (Article 45)
This article sets out that the Commission, along with the supervisory authorities, shall take steps to develop effective international co-operation mechanisms to ensure the enforcement of legislation for the protection of personal data including providing international mutual assistance in the enforcement of such legislation. All drafts are similarly worded and re-inforce the principle of international cohesion in the sphere of data protection.
So, where are we now?
The trilogues are in full swing with the Parliament, Council and Commission considering and discussing each of their versions to agree a final position. Each will have to compromise and inevitably the extent to which each party is willing to do so will prove key. Given the recent CJEU ruling and the increased media attention in a post-Snowden era, data exports are likely to prove a hotly debated area. While the various drafts of the GDPR do not differ massively from the existing Directive and available data export solutions, as stated by the ICO, "The devil is in the detail" and this remains to be seen.
The law inevitably cannot keep pace with technological advances, and the adtech industry is certainly on the forefront of such advances. In some ways many concepts and principles of European data protection law do not seem to sit comfortably together, however, as set out above the basic principles are not changing with regard to data export. Adtech companies must acclimatise to recent developments, and whilst regulators may acknowledge (for now) this will not be immediate, it is expected that adtech companies will take steps to review and put in place new mechanisms where they relied on Safe Harbor previously. Going forward and better yet as part of a review following the recent CJEU ruling, wider data export analysis should be undertaken. The level of attention that data exports receive is not likely to decrease. In an industry that has multifaceted data transfers and exports, the adtech industry should look to respond assertively to recent and planned changes.