In early October 2015, the Court of Justice of the European Union (CJEU) in the Schrems and Facebook case, declared the EU-U.S. Safe Harbor invalid, as reported in our previous Alert. The CJEU ruling stunned many businesses and organizations throughout the world. For the past 15 years, the Safe Harbor Program had made it easy for businesses established in the United States and the European Economic Area (EEA) to exchange personal data in the ordinary course of business. It was the simplest and most business-friendly method for addressing the prohibition against cross-border data transfers to the United States, which in the view of the European Union (EU) does not offer adequate protection of privacy rights and personal data.
Since the issuance of the ruling, a flurry of activity has occurred. Numerous reactions and comments have been published. Two of the most notable statements, issued by the EU’s Article 29 Working Party and by the Israeli Law, Information and Technology Authority respectively, require that U.S. companies involved in international exchanges of personal data with the EMEA Region react promptly to the invalidation of the Safe Harbor Program and establish alternative measures to assure compliance with EU and Israeli law.
First, on Oct. 15, 2015, the Article 29 Working Party (the Working Party) - the umbrella organization that encompasses the Data Protection Commissioners of the 31 EEA Member States - published its initial reaction to the CJEU ruling. The Working Party confirms that the invalidation of the Safe Harbor Program is effective immediately. In addition, it warns that if, by January 2016, the U.S. and the EU have not reached a satisfactory agreement that incorporates certain elements identified in the Working Party’s statement, the EEA Data Protection Authorities will commence enforcement actions against illegal cross-border data transfers.
Second, on Oct. 19, 2015, the Israeli Law, Information and Technology Authority announced that, in view of the CJEU ruling invalidating the EU-U.S. Safe Harbor, it would cease treating a U.S. company’s self-certification under the EU–U.S. Safe Harbor as a ground for granting derogations to its own prohibition against cross-border data transfers out of Israel. In other words, Israeli companies that relied on the fact that a U.S. company was listed on the Safe Harbor List of the U.S. Department of Commerce can no longer do so to justify the legality of their transfer of data to the U.S.
This article provides an overview of these two significant developments.
The data protection laws of the member states of the EEA prohibit the transfer of personal data outside the EEA territory unless there is a legal basis to show that the personal data, once transferred will benefit from the same protection as that which they enjoy in the EEA. Numerous other countries around the world, including Israel, have adopted a similar approach.
In 2000, the U.S. Department of Commerce and the European Commission negotiated an agreement providing that if a U.S. company publicly self-certified its adhesion to the seven Safe Harbor Principles, it would be deemed to offer the “adequate level of protection” required by the applicable EEA data protection laws. Numerous other countries outside the EAA opted to follow this lead and adopted the position that if a U.S. company was a member of the EU-U.S. Safe Harbor List it would be deemed to offer adequate protection for personal data originating from their own territory. This was the case, for example, for Switzerland (which established its own similar Safe Harbor Program, which is operated jointly with the EU-U.S. Safe Harbor Program). This also was the case for Israel, which opted to simply refer to the U.S. Department of Commerce program without setting up a formal program of its own.
The Oct. 6, 2015 CJEU ruling found that the 2000 decision of the European Commission approving the Safe Harbor Program as a legal basis to address this prohibition against cross-border transfers was invalid. As a result, more than 4,500 U.S. companies that use their EU-U.S. Safe Harbor Self Certification as the legal basis for their cross-border data transfers from the EU to the U.S. are now unable to provide a legal justification to their European customers, subsidiaries, and other counterparts for such transfers. Until now, it was not clear how the countries outside the EEA that had expressly or impliedly adopted the EU-U.S. Safe Harbor solution would react to the CJEU ruling. Israel’s recent pronouncement may signal a widespread rejection of the current Safe Harbor Program.
EU Article 29 Working Party
The Working Party’s statement of Oct. 15, 2015, outlines its first response to the landmark CJEU ruling. The Working Party’s statement summarizes the group’s evaluation of the first consequences of the ruling to be drawn at the European and national level.
The Working Party points out that the Data Protection Authorities, EU institutions, Member States, and businesses are collectively responsible for finding sustainable solutions to implement the Court’s judgment. It stresses that businesses, in particular, should reflect on the eventual risks they take when transferring data to the U.S., and should consider putting in place legal and technical solutions in a timely manner to mitigate those risks and respect the EU data protection principles.
Regarding the practical consequences of the CJEU judgment, the Working Party states that it is clear that transfers from the EU to the U.S. can no longer be framed based on Safe Harbor mechanism and “transfers that are still taking place under the Safe Harbor after the CJEU judgment are unlawful.”
This invalidation creates significant obstacles for U.S. companies and their foreign counterparts. For now, Standard Contractual Clauses and Binding Corporate Rules (BCRs) - the other approved methods to achieve the “adequate protection” required by the EEA data protection laws - have not yet been declared invalid. Entering into contracts based on Standard Contractual Clauses might appear to be a fast and efficient way to react to the Safe Harbor invalidation. However, these contracts may not be suitable to all situations. In addition, before jumping to the signature page, significant due diligence must be performed, and many parties may have to agree to the applicable terms. Further, Standard Contractual Clauses create stringent restrictions and significant liabilities. All of these issues, and others, should be examined carefully before executing such clauses.
While multi-national entities may also attempt to obtain approval of BCRs for their internal transfers, there are significant hurdles, as well. For example, currently, only 21 out of the 31 EEA countries recognize BCRs. Further, the process for approval of a set of BCRs may take 15 months or more from beginning to end, which eliminates BCRs as a viable immediate solution.
In its recent public statement, the Working Party announced that, until it has completed its analysis of the impact of the CJEU judgment on other transfer tools, the Data Protection Authorities will consider that Standard Contractual Clauses and BCRs as acceptable . However, during this transition period, the Data Protection Authorities will continue to exercise their right to investigate particular cases, and to exercise their powers in order to protect individuals.
January 2016 Deadline
The Working Party’s statement sets a January 2016 deadline. If, by the end of January 2016, no appropriate solution is found with the U.S. authorities, then, depending on the assessment of the transfer tools by the Working Party, EU Data Protection Authorities may start taking all actions that they may deem necessary, including coordinated enforcement actions.
The Working Party also urges the affected countries to start promptly negotiations of an inter-governmental agreement. While progress has been made with the recent signature of the Umbrella Agreement, which provides for a comprehensive high-level data protection framework for EU-U.S. law enforcement cooperation, and the ongoing negotiations regarding the creation of a new Safe Harbor 2.0 program, the Working Party believes that more needs to be done. According to the Working Party, a new Safe Harbor agreement would only a part of the solution; more is necessary. The Working Party urges Member States and the European institutions to open discussions with U.S. authorities in order to find political, legal, and technical solutions enabling cross Atlantic data transfers that respect people’s fundamental rights. In particular, it suggests that such solutions could be found through the negotiation of an intergovernmental agreement providing stronger guarantees to EU data subjects.
The Working Party identifies key points that should be addressed in these intergovernmental negotiations. In the Working Party’s opinion, these solutions should include clear and binding mechanisms that incorporate at least obligations on:
- Oversight of access by public authorities;
- Redress mechanisms; and
- Data protection rights.
These negotiations are viewed as crucial by the members of the Working Party. If an appropriate solution that meets the criteria described above is not found by January 2016, the Working Party warns that EU Data Protection Authorities may start taking all actions that they may deem necessary, including coordinated enforcement actions.
In a further development, the Israeli Law, Information and Technology Authority (ILITA), the country’s data protection authority, has just announced that it revoked its prior authorization permitting the transfer of personal data from Israel to those organizations in the U.S. that certified under the EU-U.S. Safe Harbor. In keeping with the data protection legislation enacted throughout the EEA, the Israel Privacy Protection Regulations (Transfer of Data to Databases Abroad) of 2001 (the 2001 Regulations) restrict the transfer of personal data outside the country unless the recipient country ensures a level of data protection that is no lesser than that provided under Israeli law, or one of the derogations in Section 2 of the 2001 Regulations applies.
Up until very recently, the ILITA had found that those U.S. organizations certified under the EU-U.S. Safe Harbor provided an adequate level of protection for personal data and, as such, fell under the derogation, provided under Section 2(8)(2) of Israel’s 2001 Regulations, authorizing data transfers from Israel. However, with the recent CJEU decision in the Schrems case, the position of the ILITA has changed. It has stated that organizations can no longer rely on the aforementioned derogation as the basis for the transfer of personal data between Israel and the U.S. and has advised organizations to assess whether they can legitimize the transfer of personal data between Israel and the U.S. under one of the other derogations provided in Section 2 of the 2001 Regulations. The ILITA has also advised that it continues to assess the implications of the Schrems decision and that it will publish information and additional clarifications if necessary.
Israel is one of the few counties whose data protection law has been deemed to meet the stringent criteria required under the EU Data Protection Directive 95/46/EC. Under Commission Decision 2011/61/EU, Israel is considered as providing an adequate level of protection for personal data transferred from the EU. This adequacy finding ensures that personal data can be transferred from the EU to Israel, without companies having to rely on other legal methods, such as contractual clauses, to effect the data transfer. It is likely that Israel’s decision to follow the determination in the CJEU ruling invalidating the Safe Harbor Program was prompted by its concern to keep its privileged status vis-à-vis European entities in good standing.
While Israel’s reaction is understandable under the circumstances, it may be a sign that other countries throughout the world that also have the privilege of having been deemed by the European Commission to offer “adequate protection,” such as Argentina, Uruguay, Canada, or Switzerland, might soon adopt the same approach as Israel. This would isolate the U.S. further and create additional pressure for the U.S. government to modify its course of action and its strategies regarding international commerce.
The activities of U.S. law enforcement agencies remain of great concern to the rest of the world. In its statement, the Working Party points out that the question of massive and indiscriminate surveillance is a key element of the CJEU’s analysis. It believes that such surveillance is incompatible with the EU legal framework, and that existing transfer tools are not the solution to this issue.
It is becoming clear that the repeated assertions of the CJEU in its ruling that personal data when on the U.S. territory is subject to massive surveillance, and that the current legal regime in the U.S. requires companies to “disregard … without limitation” the prospective rules laid down by the Safe Harbor when they conflict with U.S. national security and public interest, are affecting the reasoning of the EEA Data Protection Commissioners. They appear to be getting traction outside the EEA, as well. The CJEU opinion also points at other deficiencies it sees in the U.S. legal regime, such as a lack of access and correction rights.
The invalidation of the 2000/520 Safe Harbor Decision does not solve these fundamental issues, and there is some concern that the remaining two mechanisms for legally transferring data form the EEA to the U.S. -- BCRs and Standard Contractual Clauses – also may be deemed invalid. The next few months will be very busy and will see extensive activities in the U.S., throughout Europe, and probably in other parts of the world. Hopefully effective and productive negotiations will find a solution that supports commerce and exchanges between the affected countries.
In the meantime, U.S. companies currently relying on the Safe Harbor must urgently evaluate their situation and take appropriate remedial measures to meet the data protection standards in the countries in which they currently do business. The January 2016 deadline set by the Working Party is a very important deadline. U.S. companies should take the time to reshape their cross-border data transfer solutions to address the significant challenges created by the invalidation of the EU-U.S. Safe Harbor, and the associated ramifications such as the Israeli decision.
*Special thanks to Joanne Kirk (CIPP/E) for her valuable contribution to this GT Alert.