Developments since the Court of Justice of the European Union (“CJEU”) ruled Safe Harbor to be invalid (the “Ruling”).
On 6 October 2015 the CJEU published its Ruling on the case of Maximillian Schrems v Data Protection Commissioner (the “Case”), declaring the decision by the European Commission (the “Commission”) on the adequacy of US Safe Harbor, to be invalid. In the wake of the Ruling:
- a number of data protection authorities (“DPAs”) expressed their own opinion on the implications of the Ruling – many taking a considered and practical stance, while others (namely some of the German DPAs) attempted to muddy the water further by applying the same logic used by the CJEU in the Ruling, to question the validity of other transfer mechanisms such as EU Model Clause (“Model Clauses”) and Binding Corporate Rules (“BCRs”);
- the Article 29 Working Party (the “Working Party”), on 19 October 2015, quietly released a brief statement (the “Statement”) to DPAs, explaining how DPAs should take enforcement action (or not as the case my be) against businesses continuing to rely solely on Safe Harbor for the transfer of personal data. The Statement also set out a time limit for the implementation of Safe Harbor 2.0 and noted that the Working party would be considering the validity of other transfer mechanisms in the meantime; and
- it appears that negotiations between EU and US authorities have accelerated quicker than expected as the European Commissioner reported on 26 October 2015, that an agreement in principle in relation to Safe Harbor 2.0, has now been agreed and a final agreement is hoped to be achieved soon.
This briefing summarises the above developments and helps to answer the question still being asked by business in both the EU and the US: “what do we do now?!”
For a detailed summary of the Ruling (including the rationale given by CJEU in making its decision) please see our earlier briefing, which can be found here.
What are the DPAs saying?
France - Commission Nationale de l’Informatique et des Libertés (“CNIL”)
The CNIL has now updated its website to state that transfers of personal data on the basis of Safe Harbor is no longer possible. However, it stressed the need for co-operation between DPAs.
Spain - Agencia Española de Protección de Datos (“AEPD”)
Similarly, the AEPD also placed the emphasis on co-ordination between DPAs, both in terms of analysing the Ruling and how to apply it consistently throughout Europe.
On 26 October 2015, the German “Konferenz der Datenschutzbeauftragten des Bundes und der Länder”, a conference of the German Federal Data Protection Commissioner and the German state authorities in charge of data protection compliance, issued a position paper in light of the Case. Similar to the Working Party Statement (discussed below), the position paper questions BCRs and Model Clauses but does not go so far as to make a general statement that BCRs and Model Clauses are no longer “valid” (as previously stated/suggested by some local DPAs in Germany).
However, the position paper does clearly state that the German DPAs will not approve any new BCRs or data transfer agreements for transfers to the US. It is unclear how this will affect the use of Model Clauses in Germany (if at all) as the involvement of a DPA is rather limited in Germany due to the requirement of having a data protection officer (a requirement under German law if the company has over nine (9) employees).
UK – Information Commissioner’s Office (“ICO”)
The ICO appears to have taken a surprisingly lenient approach to the Ruling (at least in some respects). On 27 October 2015, the Deputy Commissioner of the ICO, David Smith, published a statement in which he noted that while the Ruling has cast doubt on Commission decisions on the adequacy of particular countries and Model Clauses/BCRs, such adequacy decisions still stand and can be relied on by businesses for the time being.
However, he also went on to say that business should not panic – “don’t rush to other transfer mechanisms that may turn out to be less than ideal… especially with the possibility that a new, improved and perhaps rebranded Safe Harbor will emerge.”
The ICO even suggested that the Ruling did not make reliance on Safe Harbor (in its current state) automatically unlawful in the UK – “…businesses in the UK don’t have to rely on Commission decisions on adequacy… UK law allows you to rely on you own adequacy assessment.” It based this point on its interpretation that the Ruling only made the adequacy decision of the Commission regarding Safe Harbor invalid and that actually, in practice, reliance on Safe Harbor still offered some protection that was at least better than simply relying on consent. Therefore, if a business relied only on Safe Harbor, it could presumably escape any enforcement action been taken by the ICO by shoring up the protection of such data by other means. Although this seems a risky strategy to take, particularly in light of the Working Party Statement (below).
In closing, the ICO gave some further comfort to UK businesses by noting that: “We’re certainly not rushing to use our enforcement powers”.
The Working Party Statement
In its Statement, the Working Party confirmed that reliance solely on Safe Harbor is now unlawful and addressed some of the above points by saying that:
- Model Clauses and BCRs can be relied on as an alternative to Safe Harbor, for now;
- the Working Party will, however, review the validity of these transfer mechanisms over the next couple of months – it noted that the mass surveillance by US authorities is a breach of EU fundamental rights (this being the foundation of the CJEU’s decision) and that reliance on Model Clauses and BCRs does not solve this wider issue;
- EU and US authorities should continue their negotiations in relation to a new version of Safe Harbor (“Safe Harbor 2.0”) which does solve these wider issues – presumably by implementation of new laws, restrictions and/or regulatory oversights in the US;
- DPAs should wait until the end of January 2016 to issue any enforcement against businesses that have not put in place alternatives to Safe Harbor; and
- after the end of January 2016, and dependent on the findings of the review by the Working Party on the validity of Model Clauses and BCRs, DPAs are encouraged to take all necessary steps to investigate complaints in relation to reliance on such transfer mechanisms and take enforcement action as necessary, including co-ordinated enforcement between DPAs where relevant.
However, the Statement was very short and did not offer much in the way of detail. For example, there is no guidance as to what DPAs should do during the period up to the end of January, if it receives a complaint in relation to the application Model Clauses or BCRs. According to the Ruling such a DPA would be required to investigate and take action according to its findings. It will therefore be interesting to see whether any such complaints are made.
Safe Harbor 2.0
It appears the Working Party hoped its Statement would act as a catalyst to accelerating negotiations with the US in relation to Safe Harbor 2.0 and perhaps this has worked. In an announcement made on Monday 26 October 2015, the European Commissioner gave some details of its progress negotiating with US authorities on a new trans-Atlantic data transfer pact (Safe Harbor 2.0).
While a final agreement has not yet been reached, it appears both sides are keen to ensure that Safe Harbor 2.0 resolves all the problems highlighted by the Ruling. As part of Monday’s announcement, Justice Commissioner Vera Jourova said:
“There is agreement on these matters in principle, but we are still discussing how to ensure that these commitments are binding enough to fully meet the requirements of the [CJEU]”.
She also noted that that Safe Harbor 2.0 would include the requirement for increased oversight by the US Department of Commerce.
While no hard deadline for a completed deal was given, the Justice Commissioner did allude to significant movement by mid-November, when she is due to visit Washington to progress discussions further. Therefore, it is very possible we could see the arrival of Safe Harbor 2.0 well in advance of the end of January 2016 deadline set by the Working Party.
So, what should you do?
As a first step, those relying on Safe Harbor should consider their risk exposure. The comments of the ICO appear to give business (in the UK at least) a ‘pass’ until the end of January and if a new version of Safe Harbor appears likely to be introduced before then, business may wish to wait. However, other DPAs (such as those in Germany) may not be so lenient and therefore, if businesses have data flowing from within European jurisdictions other than the UK to the US, it might be more prudent to implement ‘Plan B’ now and ensure adequate protection by entering into Model Clauses or (where transfers are made internally within the group) consider Binding Corporate Rules.
Although, careful consideration will need to be given as to how to approach transfers to vendors and whether these contractual alternatives will be workable. For more information on Model Clauses please see our separate briefing note, titled ‘Model Clauses and Data Transfers – What you need to know in summary’, which can be found here.
Other options? Reliance on consent and other derogations from the transfer prohibition is unlikely to provide solutions for large scale regular transfers. By their nature these derogations are supposed to deal with specific exceptions to what is otherwise seen as a fundamental right to protection. Consent would have to be very specific, informed and freely given. So “opt in”, with the specific data and transfer described as well as the impact of the loss of protection in a way the reader will understand. Not so easy to achieve as it might appear on first reading.
In any case it is worth noting that, although it looks like businesses have until the end of January to get this sorted, implementation can often take longer than expected.Therefore, waiting for Safe Harbor 2.0 could cause problems in the long run.
Finally, while these alternative mechanisms may also be held invalid at some point in the coming year, for now the consensus among most European DPAs is that they are still valid for now.
Steps to take
Businesses should assess:
- What personal data flows does your company have to the US?
- Which is the largest in terms of volume of data transferred? Start with these.
- Which involve sensitive details e.g. on health? These are high risk, so consider these too in priority.
- Which of these data flows were made in reliance on Safe Harbor?
- Who were the transfers of data to? Consider internal group transfers and those to third parties such as vendors.
- Do these Safe Harbor based arrangements have contracts which already include completed Model Clauses?
- If not, do these contracts give you the right to insist on Model Clauses if Safe Harbor fails?
- Are discussions in place with the other party for Model Clauses, where not already in place?
- Have you dealt with local data exporter transfer filings / approval requirements and allowed time for their completion before January 2016?
- For future contracts and data flows, are your internal contracts and/or procurement team up to date on the changes, ensuring no future reliance only on the current Safe Harbor framework?