October has been a busy month for Data Protection Authorities in the EU. Following the Court of Justice of the European Union’s judgment in Maximillian Schrems v Data Protection Commissioner (C-362-14) on 6 October, uncertainty ruled. Businesses and DPAs alike struggled to come to terms with the implications of the invalidation of Safe Harbor. This week, European Justice Commissioner Vera Jourova stated that an agreement in principle had been reached with the United States on a new trans-Atlantic data transfer pact, dubbed “Safe Harbor 2.0” by some. But what should businesses be doing in the meantime?
On 16 October, the Article 29 Working Party released a coordinated statement, promising a “robust, collective and common position” on the implementation of the CJEU’s judgment by national Data Protection Authorities. As October draws to a close, cracks in this common approach are already appearing, and businesses are facing a winter of frosty relations with some of the EU’s Data Protection Authorities.
Germany On 26 October, representatives of the 16 German state Data Protection Authorities and the Federal Data Protection Commissioner published a unified Position Paper on the impact of the CJEU’s judgment.
The Position Paper states that German DPAs will not, for the time being, issue new permissions for data transfers to the United States based on Binding Corporate Rules or data transfer agreements. The German DPAs call on the EU and the United States to find a solution and state that German DPAs will increase their enforcement activities.
The Position Paper contains 14 unified conclusions of the DPAs. The key points are that:
- Safe Harbor can no longer legitimise data transfers.
- The legitimacy of Model Clauses and Binding Corporate Rules is questionable.
- If German DPAs become aware of data transfers to the United States based solely on Safe Harbor, they will prohibit them.
- German DPAs will apply the criteria set out by the CJEU when exercising their audit rights under the relevant Commission decisions on Model Clauses.
- For the time being German DPAs will not issue new approvals for data transfers to the United States based solely on Binding Corporate Rules or data transfer agreements.
- Under certain strict criteria individual consent may legitimise the transfer of personal data.
- In cases of transferring employee data or personal data of third party data subjects, consent may legitimise data transfers to the United States in exceptional circumstances.
- The German Federal Government is called on to push for an adequate level of protection of human rights in relation to privacy and data protection vis-à-vis the United States Government.
- The Commission, Council and Parliament are asked to apply the CJEU’s strict criteria in the General Data Protection Regulation.
The Article 29 Working Party stated earlier in October that both Model Clauses and Binding Corporate Rules can be used in the short term. German DPAs now apply a different approach: Binding Corporate Rules and data transfer agreements are no longer a sufficient basis for issuing new permissions for data transfers to the US.
The Position Paper creates a degree of legal certainty on how data transfers will be treated in Germany. However, it fails to provide companies with sufficient guidance as to what they should do next. At the same time DPAs have warned that they will be increasing their enforcement activities unless an appropriate solution is agreed with the US by the end of January 2016.
With regards to reliance on data subject consent for data transfers, it remains to be seen whether the German courts will share the DPAs’ strict approach on its validity. If consent is informed and freely given by data subjects, German courts could still deem it valid even in cases of mass data transfers.
United Kingdom On 27 October the ICO’s Deputy Commissioner and Director of Data Protection released a blogdiscussing the implications of the CJEU’s judgment. The ICO has arguably taken quite a liberal view, stating that whilst it is inevitable that legal certainty surrounding Model Clauses and other methods of transfer is no longer available, the ICO will not rush to use its enforcement powers. Further, the Deputy Commissioner points out that businesses in the UK have the option to rely on their own adequacy assessments to transfer personal data abroad, and that the Safe Harbor principles can still play a role in this. Two central messages are that companies should not panic to put mechanisms in place “that may turn out to be less than ideal”, and should take stock and consider the data that is being transferred abroad, and whether it is adequately protected.
Portugal Portugal’s CNPD announced on 23 October that it will only be issuing provisional authorisations for international data transfers to the United States based on Model Clauses or other valid methods of transfer. The CNPD also stated that it would review transfers previously authorised under Safe Harbor, and that companies should suspend any data flows currently operating on that ground.
Greece The Greek DPA announced at the end of October that businesses should suspend transfers of personal data to the United States based on Safe Harbor, but has stated that Model Clauses or Binding Corporate Rules can be used instead.
Switzerland Switzerland is not an EU/EEA member state, and therefore is not directly affected by the CJEU’s judgment. However, the country had its own separate Safe Harbour framework with the United States, which was almost identical in terms. In the wake of the CJEU’s judgment, the Swiss Federal Data Protection and Information Commissioner announced in October that the Safe Harbor framework is no longer considered a sufficient safeguard, and recommended that contractual safeguards such as data transfer agreements and Binding Corporate Rules are implemented instead. The authority requested that these changes be implemented by businesses by the end of January 2016.
What now? The cracks developing across the EU mean that careful consideration will need to be given to what measures are put in place by businesses. The new year will bring further announcements by national authorities and the EU institutions, possibly including the long-awaited General Data Protection Regulation. The importance of businesses taking action now in order to prepare for what is to come cannot be overstated.
Ultimately, any long-term solution to the issue of personal data transfers to the United States will have to come from political discussions. This was recognised by the Chairman of the Netherlands DPA at the Data Protection Authorities’ 37th International Privacy Conference held last week.