Following on the heels of the IAPP Congress in Brussels, the CNIL’s (the French data protection authority) international chief, Florence Raynal, engaged in a dialogue with the members of the American Chamber of Commerce’s Digital Economy Committee in France. Raynal engaged with AmCham members on questions relating to the EU-US Safe Harbor framework, focusing on the practicalities of onward transfers. The discussion involved two kinds of transfers.
First, Raynal pointed out her belief that transfers from an EU-based data controller to a US-based data processor cannot be done relying on Safe Harbor alone. Aspects of the Safe Harbor principles are not well-adapted to a processor. Consequently, it’s Raynal’s view that when transferring data to a US-based processor that is Safe Harbor certified, the data controller must still enter into a data processing contract that contains minimum provisions relating to the security and use of personal data by the processor in the US.
The second kind of transfer that generated debate was the onward transfer by a Safe Harbor certified US-based company to another processor or controller located outside the US, in India for example. Raynal said that the Article 29 Working Party was particularly concerned with situations where the two-step transfer from the EU to the US and then from the US to India is in fact collapsed into a single transfer, directly from the EU to India. In that case, Raynal characterized the transfer to the US as being virtual or “fictitious.” Members of the AmCham commented that in most cases the transfers are not fictitious, because the US-based company has an important role in the decisions relating to the data processing, and is “in charge” of the data as a data controller or main data processor. Raynal warned participants to be wary of relying on Safe Harbor for transfers to third countries that should otherwise be covered by standard contractual clauses.
Discussions then focused on the circumstances where data is in fact transferred to the Safe Harbor certified US-based company, and then transferred onward to a company acting as an agent in India. In that case, there is no fictitious transfer to the US but an actual transfer followed by an onward transfer. Raynal confirmed that the current Safe Harbor arrangement does not impose a general obligation requiring a specific contractual form for the onward transfer but that this was the subject of discussion between European and US authorities. European authorities would like the US Department of Commerce to impose certain minimal contractual clauses to cover these onward transfers. In addition, Raynal believes the requirements applicable to onward transfers made to a company not acting as an agent or between sub-processors should be clarified.
Raynal discussed other issues raised by the Article 29 Working Party in connection with Safe Harbor, pointing out that one of the most important issues for the Article 29 Working Party is the Safe Harbor exemption for “publicly available information.” This would be a “tough negotiation point” for European negotiators, said Raynal, adding that the exemption for publicly available information also appears in the CBPR (Cross Border Privacy Rules) prepared under the APEC framework. This is a key issue for European policymakers because under the current directive and the future regulation, protection of personal data extends to personal data that is available on the Internet. According to Raynal, allowing an exemption for “publicly available information” would create a huge gap in protection compared to current European standards.
On the issue related to government access to data, members of the AmCham committee said that it was a shame that this bigger political issue was being brought to the Safe Harbor discussion. Many aspects of the Safe Harbor discussion cover practical points that can be solved through pragmatic proposals. The Snowden and NSA debate raises much larger political issues that cannot be as easily solved. Raynal insisted, however, that from a European standpoint the law enforcement and national security aspect must be part of the Safe Harbor discussions. This is a political reality, reflected most strongly in the position of the European Parliament. It is therefore up to the relevant negotiators to make sure they have the right people at the table to discuss these issues.
On the issue of TTIP, Raynal referred to the complex dynamics and interrelationship between the Safe Harbor discussions, the TTIP negotiations, and the European discussions on the future data protection regulation. Each of these three processes feeds into the other two, creating a dynamic situation with uncertain timing. It’s not unreasonable to think, however, that the Safe Harbor negotiations, if successful, might form a basis for a potential TTIP chapter on personal data. Raynal hastened to point out that for the time being the European Commission’s negotiation mandate under TTIP does not include personal data, and that this position is supported by all Member States.