In its ground-breaking judgement in the Schrems vs. Data Protection Commissioner case (C-362/14), the European Court of Justice has declared the Safe Harbor decision of the EU Commission, 2000/560/EC, as invalid.
LEGAL SITUATION IN AUSTRIA
For Austria, the consequences of this judgement will likely be extensive, since the Austrian legislation provides as a general rule that a data transfer to a country without an adequate level of data protection is subject to approvalon the case-to-case basis, even in cases where the data exporter and the data importer have concluded a contract in the form of EU Model Clauses or are subject to Binding Corporate Rules. On the contrary, a transfer of data to a safe harbor certified organisation was viewed as equivalent to a transfer of data to a country with an adequate level of data protection, and therefore exempt from approval.
Therefore, following the law, the main and immediate consequence is that the transfers of personal data to the USA from Austria are now in principle subject to the approval by the Austrian Data Protection Authority (ADPA), unless another exemption applies. Whereas the approval procedure was considerably shortened as of late, it can still take up to several months in specific cases, especially if the ADPA has to perform a detailed assessment of the application. Due to the general statements of the ECJ in the Schrems judgement in respect to the level of data protection in the USA, such detailed assessments regarding data transfers to the USA are possible.
STATEMENT OF THE AUSTRIAN DATA PROTECTION AUTHORITY
In the meantime, the ADPA has already issued a preliminary statement regarding the effects of the Schrems case, confirming that the data transfers to the USA are now in principle subject to approval by the ADPA. The approval is not required only if an exemption pursuant to Sect. 12 of the Austrian Data Protection Act, which corresponds broadly to the Art 26 of the Data Privacy Directive 95/46, can be relied upon.
The ADPA has also expressly addressed the case where the data are already being or have been transferred or processed in the USA, stating as a potential alternative that the data exporter entity can “retrieve” the data and continue processing them locally, either on a server within the EU/EEA, or in a third country with an adequate level of data protection. Based on this statement, it appears rather certain that the ADPA does not intend to apply the consequences of the Schrems judgement only to future data transfers, but rather considers the data transfers and data processings currently taking place also as “retroactively” becoming subject to approval, in lack of a relevant exemption. It is however unclear at the moment whether this should also apply on controller-to-controller transfers, where the Austrian-based data controller has effectively lost control over the transferred personal data.
As stated above, the exemptions from approval provided in Sect. 12 of the Austrian Data Protection Act, including in particular consent of the data subject(s), are still a possible alternative. However, the requirements for consent as set out by the Austrian Supreme Court and ADPA are rather high, so this alternative may not always be practically available.
IMPACT ON THE APPROVAL PROCEDURE
Regarding the approval procedure, the ADPA has only issued a very brief statement that the data transfer can be approved by a decision of the ADPA, based on an application of the data exporter. It remains however unclear whether the Schrems judgement will also have effect on such approval procedures in case of data transfers to the USA as well. Previously, and currently in respect to other countries, obtaining an approval was rather a formality, if the application was based on a contract in the form of EU Model Clauses between the data exporter and data importer, or Binding Corporate Rules to which the data exporter and data importer are subject.
It is however doubtful whether the ADPA would still accept these as a valid basis for an approval, considering that the main argument of the ECJ for declaring the Safe Harbor decision invalid was that the US authorities have possibilities to obtain an unlimited access to personal data without any recourse. This would however also be the case if the data recipient concludes EU Model Clauses or is subject to Binding Corporate Rules.
The public statement of the ADPA (in German) can be found here. Furthermore, we shall keep close contact with the ADPA in the following days and post any updates which may be issued in respect to the open issues.