‘This case is not about Facebook. What is at issue is one of the mechanisms that European law provides to enable essential transatlantic data flows…It is imperative that E.U. and U.S. governments ensure that they continue to provide reliable methods for lawful data transfers and resolve any issues relating to national security.’ Facebook response to the CJEU ruling.
Introduction
Following the recent ruling of the Court of Justice of the European Union in the case of Max Schrems v Data Protection Commissioner, Case C-362/14, a significant and widely used mechanism for the transfer of personal data from the EU to the US has been eliminated. In its judgment, the CJEU invalidated European Commission Decision 2000/520 concerning transfers of personal data to US companies that signed up to self-certification under the US/EU Safe Harbour programme. The general consensus in the wake of the judgment is not to panic. However, having said that, the CJEU judgment cannot be overlooked by companies and regulators. So what is the wider impact of the decision and what practical steps can companies take in the aftermath of the CJEU ruling?
Practical effect of the decision
One of the requirements of the Data Protection Directive 95/46/EC is that personal data must not be transferred outside the EEA unless the country it is being transferred to has ensured an ‘adequate’ level of protection. The Commission is able to make a finding of adequacy in respect of a specified country outside of the EEA, and Safe Harbour was an example of such a decision. It is now clear from the judgment that businesses are no longer able to use the Safe Harbour framework as a basis to lawfully transfer personal data from the EU to the US.
Who will be affected by the ruling?
It is difficult to envisage any parties involved in transatlantic data exchanges from the EU that will not be concerned about the invalidation of the Safe Harbour regime. From leading tech companies, including cloud providers and social media platforms, to a wide variety of other companies relying on the transfer of data from the EU to the US in the course of their business operations. While some data transfer agreements (founded on Safe Harbour) have been theoretically invalidated, there is presently a sort of legal ‘limbo’, in a manner of speaking. What is clear, however, is that it is not possible to enter into new data transfer agreements which are based on the Safe Harbour framework. Instead, other methods to assess or ensure ‘adequacy’ will have to be used, as further explained below.
What has been the response from regulators?
Interestingly, the CJEU did not mention any grace period or offer any advice for those relying on Safe Harbour in its judgment. The lack of any transitional framework presents a number of practical issues following Safe Harbour’s immediate invalidation, considering that it is impossible and unrealistic for data transfers to terminate overnight. This begs the question of what is required of companies who have relied on the Safe Harbour framework, and transferred data in line with its requirements, to date.
The Information Commissioner’s Office released a statement on 6 October indicating that businesses that use Safe Harbour will have to review how they ensure that data transferred to the US is transferred in line with the law, and the ICO recognised that it will take businesses time to do this. At a conference on 8 October, UK Information Commissioner Christopher Graham advised that the ICO’s office will not be ‘knee-jerking into sudden enforcement of a new arrangement.’ He advised that the ICO are coordinating with the other data protection authorities (‘DPAs’) across the EU.
The Article 29 Working Party met on 8 October and then again the following week, with the aim of issuing a harmonised response to the Schrems decision and preventing a patchwork approach throughout Europe. The Article 29 Working Party issued a statement in response to the Schrems ruling on 16 October which emphasises that the question of massive and indiscriminate surveillance is a key element of the CJEU’s analysis. The Article 29 Working Party also indicated that the EU and the USA will have until the end of January 2016 to find a political, technical, or legal solution to the now invalid Safe Harbour agreement for data transfers from the EU to the USA. The Article 29 Working Party advised that:
‘businesses should reflect on the eventual risks they take when transferring data and should consider putting in place any legal and technical solutions in a timely manner to mitigate those risks and respect the EU data protection acquis.’
The Article 29 Working Party confirmed that transfers still taking place under Safe Harbour after the CJEU judgment are currently unlawful, and that EU DPAs may investigate particular cases, such as those based on complaints, and exercise their powers in order to protect individuals. If no solution has been identified by the end of January 2016, the Working Party warned that EU DPAs may then start taking coordinated enforcement actions.
The European Commission has also issued a response to the Schrems case in which it indicated that US data transfers based on other methods of transfer, such as EU model clauses, are still valid. The Commission also referred to its ongoing negotiations with the US government on ‘Safe Harbour 2.0’.
Is enforcement action likely?
It seems unlikely that we are going to see enforcement activities initiated by DPAs in the immediate future, not least because of the huge administrative burden that an investigation of such proportions would involve, especially in light of the number of transfers under the regime since 2000. However, it should not be expected that the DPAs will disregard such a course of action once appropriate guidance is established by the regulators, especially in light of the fact that no grace period has been mentioned by the CJEU. This is reflected in the Article 29 Working Party’s statement on the decision. Regard should also be given to the new GDPR, which purports to create a set of coordinated DPAs via the One Stop Shop, and which will provide DPAs with fiercer enforcement powers. Therefore, affected companies should turn their attention to implementing alternative mechanisms.
Alternative options for EU to US transfers
Although this ruling has a significant impact on EU to US data transfers, it should be noted that Safe Harbour is not the only option available for such transfers, and that alternatives may be relied upon. US companies that rely on the Safe Harbour framework to transfer personal data to the USA will now have to consider alternative methods of transfer in order to comply with EU law. The decision will have an impact on both US processors and controllers, as the way in which processors implement the ruling should be considered and aligned with the controller. EU companies currently using a US Safe Harbour certified service provider will also have to consider their response to the Schrems decision. As with US companies, a number of the same alternative options are available. The suitability of each mechanism for a business depends on a number of considerations (discussed below).
Postpone action at present
One suggested approach is to postpone taking any action in respect of relevant transfers until further guidance has been issued. This solution would avoid time and cost burdens, and would also enable companies to implement changes as set out in anticipated prescribed guidelines. However, it also has the potential disadvantage of loss of trust from clients or consumers who may be discouraged by the companies’ inaction. It must also be highlighted that enforcement action is still feasible, albeit unlikely.
EU Model Clauses
Another alternative would be to incorporate the Commission’s Standard Contractual Clauses into data transfer agreements. The EU model controller-to-processor clauses could be utilised in order to comply with standards throughout all EU countries, and may help to satisfy customers that appropriate data protection compliance is in place. The model clauses do however impose certain obligations, and may result in further administrative work. Affected companies could decide to include EU model clauses in an agreement executed with a US-based service provider, or incorporate them into an intra-group agreement, depending on the relevant circumstances. There is, however, a potential obstacle created by this method of transfer in that for certain EU member states the company may need to file the agreement with the local DPA. This could be detrimental from both a time and economic perspective.
Binding Corporate Rules
In the case of companies carrying out intra-group transfers of personal data, they may wish to consider the mechanism of Binding Corporate Rules (BCRs). However, it should be noted that BCRs are mainly relevant in the case of intra-group transfers, and this may not be an appropriate option for some companies depending on the type of transfers taking place and their size. BCRs would be most suited to larger companies wishing to introduce a global privacy compliance framework, and may not be a suitable option for SMEs. In addition, this method of transfer usually has a longer time frame for implementation and could impose a significant time and cost burden on a business. Further, BCRs are not recognised by certain EU and non-EU countries which may be an issue depending on the location of relevant parties. The draft GDPR also includes provisions on BCRs which are likely to make the process easier, so this may not be the most prudent solution at present.
EU data centres or service providers
A further option for US companies to consider is the establishment of EU data centres; however this is likely to involve substantial costs and administrative efforts. European companies currently using a US service provider could opt to change to one based in the EU, which would not require any transfer outside of the EEA. However, this could have a negative impact on existing business relationships.
Consent
Consent of the individual whose personal data is being transferred to the US is another alternative to Safe Harbour, although it is not the most practical solution since the consent has to be specific, informed and freely given. In addition, DPAs have expressed their disapproval of consent for bulk transfers. The Article 29 Working Party, in its WP Paper 114, indicated that ‘consent is unlikely to provide an adequate long-term framework in cases of repeated or structural transfers.’[1] Therefore this option is not entirely straightforward for businesses.
Performance of a contract
There are also other legal grounds for data transfers detailed in the Directive, such as the ‘performance of a contract.’ It may be worthwhile investigating whether this condition applies to a company’s data transfers, although it is likely to have limited application.
General audit and self-assessment
At this stage it would also be worthwhile for companies to map their data flows to establish any EU-US transfers, and consider what action they could take to mitigate the risk of enforcement. Such steps may include amending their privacy policies and/ or anonymising data transferred to the US, wherever possible, and when it is not required for the business activities in question. It would also be wise to review and assess agreements regarding relevant transfers that are currently in place, and determine whether any amendments should be made following the Schrems ruling.
Next Steps
It should be remembered that concerns and controversy regarding Safe Harbour have been surfacing since the revelations of NSA surveillance exposed by Edward Snowden. Over the course of the last two years, the European Commission and US authorities have been negotiating a replacement framework. A very likely consequence of the Schrems decision could be a ‘Safe Harbour 2.0.’, which has been reiterated by the Commission via its statement regarding ongoing negotiations with the US government on this subject. However, doubts remain as to whether a new Safe Harbour framework would be able to successfully overcome the issues presented by the original Safe Harbour data pact.
Conclusion
As outlined, there is no need for alarm at this stage, however, careful consideration should be given to how best to react to the invalidation of this mode of transfer. Hopefully, the CJEU’s ruling will hasten the current ongoing discussions between the US and the European Commission to create a successor framework to Safe Harbour. It is clear that EU-US transfers will continue to be vital, especially in the context of the tech age and digital economy. The draft GDPR may offer some comfort in that the proposed provisions on data transfers offer a wider scope for the establishment of an adequacy finding and should clarify transfer restrictions.
Natasha Simmons is an associate in the Commercial IP/IT Group at Bristows. Her practice focuses on privacy and data protection matters, including advising on compliance issues, particularly in respect of the upcoming General Data Protection Regulation, as well as new and developing technologies.
[1] Article 29 Working Party, Working document on a common interpretation of Article 26(1) of Directive
95/46/EC WP 114. Adopted 25 November 2005.