On 6 November 2015, the European Commission issued guidance in the form of a Communication on the transfer of personal data from the EU to the US following the Schrems Judgment at the beginning of October (for information on the Judgment, see DLA Piper’s Privacy Matters blog post).
The following points are stressed in the Communication:
Alternative bases for transfers of EU personal data to the US
- Standard Contractual Clauses (“SCCs”), as approved by the European Commission, can be used as a basis for EU data transfers to the US (available here). As Commission decisions are binding in EU Member States, incorporating the SCCs in a contract means that national authorities are, in principle, under an obligation to accept the clauses where they have been used without amendment. This is without prejudice to their power to examine the clauses in the light of the Schrems Judgment.
- Binding Corporate Rules (“BCRs”) can allow personal data to move among the entities of a corporate group worldwide. BCRs are not only binding on members of the corporate group but are also enforceable in the EU.
- Derogations (which include performance of a contract, public interest grounds, free and informed consent of the individual etc.) may apply but the Article 29 Working Party (the European Commission’s advisors on data protection matters) considers that due to their exceptional nature, the derogations should be strictly interpreted.
Role of national Data Protection Authorities (“DPAs”)
In its guidance, the Commission also recalls the following two points: (1) transfers to a third country can be lawfully made only if the data have originally been collected and further processed by a data controller established in the EU; and, (2) where the Commission does not find adequacy, controllers are responsible for making sure that transfers take place with sufficient safeguards. Compliance with these requirements is ultimately assessed by national DPAs.
This means that DPAs have a central role to play as they are the main enforcers of the fundamental rights of data subjects and responsible for supervising data transfers from the EU to third countries, in full independence. The Commission invites data controllers to cooperate with the DPAs, thereby helping them to effectively carry out their supervisory role.
The Commission’s guidance aims to clarify under which conditions transfers of EU personal data to the US can continue but is without prejudice to the powers of the DPAs to examine the lawfulness of transatlantic transfers. The guidance does not lay down binding rules and respects the powers of national courts to interpret the applicable law. Nor does the document form the basis for any individual or collective legal entitlement of claim.
Although the scope of the Schrems Judgment is limited to the Commission’s Safe Harbor Decision, each other adequacy decision includes a limitation on the powers of DPAs (Article 3 of the Safe Harbor framework allows national supervisory authorities to take action to ensure compliance (e.g. suspend data flows to a self-certified organisation) but only under restrictive conditions). There is a high threshold for intervention which the CJEU considers invalid. The Commission will now prepare a decision replacing that provision in all existing adequacy provisions.