This is an update following our earlier item “US Safe Harbor scheme for data transfers ruled invalid” which can be found here.
Article 29 Working Party opinion
The EU data protection authorities – known as the Article 29 Working Party – have discussed the consequences of the European Court of Justice (CJEU) decision.
First, they have expressed the opinion that data transfers to countries where the powers of state authorities to access information go beyond what is necessary in a democratic society will not be considered as safe destinations for data transfers from the EU. Therefore, the Working Party is urgently calling for open discussions with US authorities in order to find political, legal and technical solutions to enable data transfers to the US. The current negotiations around a new Safe Harbor could be a part of the solution.
These discussions between the EU Commissioner and US authorities are ongoing, but it is not known if and when they will reach a conclusion. However, it is understood that any new agreement on Safe Harbor 2.0 will involve a new “self-certification” system but with greater oversight and enforcement by EU and U.S. authorities than was the case with Safe Harbor 1.0.
In the meantime, the EU data protection authorities are clear that transfers from the EU to the US can no longer be framed on the basis of “Safe Harbor”. Transfers that are taking place under Safe Harbor after the CJEU judgment are therefore unlawful.
How might this affect you?
You could be affected by this decision if, for example, your parent company is a US company and your HR or customer data is held by the parent company on servers in the US.
You could also be affected if you are one of the many EU-based companies that use Software-as-a-Service (SaaS) solutions which are hosted in the US where the service provider is under Safe Harbor – such as Amazon Cloud or Salesforce.
Similarly, if you are a US based vendor to data controllers located in the EU and your customers have relied on your Safe Harbor certification, then you need to put in place an alternative solution in order to maintain your EU business.
Other solutions to Safe Harbor
Logically, other solutions, such as Standard Contractual Clauses and Binding Corporate Rules, could also be challenged on the same ground as Safe Harbor. Indeed, the German DP Authority has issued a paper saying that they will not issue any new authorisations for transfers to the US. In addition, Israel’s and Switzerland’s DP Authorities (both declared by the EU to have “adequate” legal regimes) have said that they will not allow transfers to Safe Harbor registered companies.
However, notwithstanding this, the Article 29 Working Party have expressed the view that Standard Contractual Clauses and Binding Corporate Rules can still be used, although it is possible that their position on this will change.
By way of summary, other possible solutions to Safe Harbor include the following:
- Consent – although it is lawful to transfer personal data with the data subject’s consent, in practice this is not a satisfactory solution on which to rely. First, in relation to HR data, consent is not deemed to be effective because of the lack of real choice that an employee has. Second, consent could always be refused or, if given could be revoked (and then what?).
- Standard Contractual Clauses – a relatively straightforward solution that can be readily put in place, but suited to ‘one-to-one’ transfers, where there are two separate contracting parties, the data exporter and the data importer. In some scenarios multiple contracts may be needed. In other scenarios, such as where a UK branch of a US co is transferring data to itself, Standard Contractual Clauses may not be effective as there will not be two separate contracting entities unless there is a restructure of some sort.
- Binding Corporate Rules – a possible solution for international groups with ‘many-to-many’ transfers. However, to put in place BCRs is a time-consuming exercise.
- Restructure data flows – restructure your data flows so that personal data does not leave the EEA and thus avoids the issue. This is a technical solution and not a legal one and may not be practicable for commercial or technical reasons.
- Self-assessment – the UK Information Commissioner has indicated that international transfers could be made following a self-assessment of the laws of the country of the data importer. Much depends on the nature of the data that you are transferring and who you are transferring it to and whether the data can be adequately protected after transfer. This may be helpful for purely intra-group transfers (e.g. of HR data) but does not provide a secure legal basis for transfer to US-based external third parties.
What to do
The European Commission is expected to issue guidance on the consequences of the CJEU’s decision shortly.
Meanwhile, businesses that have been relying on Safe Harbor must consider putting in place an alternative solution.
The EU data protection authorities have said that if, by the end of January 2016, no appropriate solution is found with the US authorities, they are committed to taking co-ordinated enforcement action. One the other hand, the UK ICO has said that they will not be taking any hurried action whilst there’s so much uncertainty around but they don’t offer a specific timeframe.
Therefore, if you have been relying on Safe Harbor for transfers to the US, there could be a relatively short time window in which to put in place a new arrangement.
That said, a blog from the ICO counsels “don’t panic and don’t rush to other transfer mechanisms that may turn out to be less than ideal”.
The first step is to re-assess your position. What personal data you are transferring outside the EU, where is it going to, and what arrangements have you made to ensure that it is adequately protected?
If these arrangements include Safe Harbor, which of the alternative mechanisms could you use? In practice, in many cases, the most convenient option will be Standard Contractual Clauses.
If Standard Contractual Clauses are unsuitable for any reason then it is possible that a new Safe Harbor 2.0 will emerge so it is also reasonable in the short term to “wait and see”, especially with further official guidance expected.
Please contact us for assistance with reviewing your options or in respect of data protection compliance generally.