The options available to EU organisations for lawfully transferring personal data from Europe to the United States appear to be dwindling. In particular, there have been further setbacks to the approval of the Privacy Shield and, separately, a new legal challenge to the validity of EU model contract clauses.
The Privacy Shield: We recently reported on the critical opinion by the EU Article 29 Working Party (“WP29”) on the Privacy Shield which will replace the defunct Safe Harbor scheme for data flows from the EU to the United States. Confidence in the proposed framework just suffered further knocks, the first of which was the European Parliament’s Resolution on transatlantic data flows (“Resolution”) calling for the Privacy Shield negotiations to be reopened to address remaining deficiencies.
A substantial majority of MEPs (501 votes to 119) were dissatisfied by the levels of protection offered by the Privacy Shield. The Resolution called for all of the WP29’s recommendations to be implemented, and also called on the Commission to seek clarification on the legal status of the various “written assurances” provided by the United States.
MEPs agreed that the Commission should also ensure that, following implementation of the Privacy Shield, “periodic robust reviews” are conducted to guarantee that the protection afforded by the Privacy Shield was in line with the requirements of the General Data Protection Regulation (“GDPR”), which enters into force 25 May 2018. The Resolution does not bind the Commission; however, like the WP29 opinion before it, it is influential and is likely to increase the pressure on the European Commission to improve the Privacy Shield before it is officially adopted.
The second recent blow for the Privacy Shield is the opinion published by the European Data Protection Supervisor (“EDPS”), Mr Giovani Buttarelli, stating that “the Privacy Shield as it stands is not robust enough to withstand future legal scrutiny before the Court” and signalling that “significant improvements” are needed.
Before the Privacy Shield can be implemented, it must be approved by a qualified majority of the Article 31 Committee (comprising representatives from the Member States). The Commission hopes that this will happen before the end of June, but the Committee failed to reach a consensus at a meeting earlier in May. Max Schrems, the privacy campaigner whose complaint led to the invalidity of Safe Harbor, has already declared that he intends to challenge the lawfulness of the Privacy Shield.
EU Model Clauses or Standard Contract Clauses (“SCCs”): This popular compliance mechanism for transferring data across the Atlantic (or out of the EEA generally) received an additional boost following the invalidation of Safe Harbor last year. At that time, many organisations converted former Safe Harbor-based transfers to transfers covered by SCCs between the EU exporter and U.S. recipient. Quick to implement, they appeared an attractive option – and were promoted as such by Data Protection Authorities – for the lawful transfer of personal data, while EU institutions and the United States negotiated the terms of the Privacy Shield.
However, even the SCCs are looking vulnerable to challenge. The Irish Data Protection Commissioner announced on 25 May that she plans to seek “declaratory relief in the Irish High Court and a referral to the CJEU to determine the legal status of data transfers” under the SCCs. The statement was issued in response to a new complaint made by Max Schrems asserting that the EU model clauses suffer from the same flaws which proved fatal for Safe Harbor, including the fact that SCCs do not prevent U.S. authorities from mass, indiscriminate access to EU citizens’ personal data.
If the CJEU eventually declares SCCs invalid, then the remaining options available to organisations are limited. Organisations may opt for authorised Binding Corporate Rules for intra-company transfers; however, these require significant investment and will not be appropriate for the resources or trading profile of every organisation. It may be possible to rely on the consent of the data subject as a legal basis for the transfer of their data; however, consent is also unlikely to work for all categories of data, in particular employees’ data. To compound the difficulties, the introduction of the GDPR in 2018 means that the requirements to achieve a valid consent will become more stringent.
Data Fortress Europe?: Transferring personal data to the United States from the EU in compliance with the law has never seemed so perplexing or so uncertain. This position is deeply unsatisfactory and challenging for global business, something which has not gone unnoticed by governments and law makers on either side of the Atlantic. As the list of transfer options becomes shorter and less predictable, the pressure mounts to negotiate and implement a Safe Harbor replacement which satisfactorily balances EU citizens’ rights against the commercial realities of global trade. A hermetically sealed “Data Fortress Europe” would ultimately benefit no one.