Safe Harbor update – and what to do

Nigel Miller
Nigel Miller

This is an update following our earlier item “US Safe Harbor scheme for data transfers ruled invalid” which can be found here.

Article 29 Working Party opinion

The EU data protection authorities – known as the Article 29 Working Party – have discussed the consequences of the European Court of Justice (CJEU) decision.

First, they have expressed the opinion that data transfers to countries where the powers of state authorities to access information go beyond what is necessary in a democratic society will not be considered as safe destinations for data transfers from the EU.  Therefore, the Working Party is urgently calling for open discussions with US authorities in order to find political, legal and technical solutions to enable data transfers to the US. The current negotiations around a new Safe Harbor could be a part of the solution.

These discussions between the EU Commissioner and US authorities are ongoing, but it is not known if and when they will reach a conclusion. However, it is understood that any new agreement on Safe Harbor 2.0 will involve a new “self-certification” system but with greater oversight and enforcement by EU and U.S. authorities than was the case with Safe Harbor 1.0.

In the meantime, the EU data protection authorities are clear that transfers from the EU to the US can no longer be framed on the basis of “Safe Harbor”. Transfers that are taking place under Safe Harbor after the CJEU judgment are therefore unlawful.

How might this affect you?

You could be affected by this decision if, for example, your parent company is a US company and your HR or customer data is held by the parent company on servers in the US.

You could also be affected if you are one of the many EU-based companies that use Software-as-a-Service (SaaS) solutions which are hosted in the US where the service provider is under Safe Harbor – such as Amazon Cloud or Salesforce.

Similarly, if you are a US based vendor to data controllers located in the EU and your customers have relied on your Safe Harbor certification, then you need to put in place an alternative solution in order to maintain your EU business.

Other solutions to Safe Harbor

Logically, other solutions, such as Standard Contractual Clauses and Binding Corporate Rules, could also be challenged on the same ground as Safe Harbor. Indeed, the German DP Authority has issued a paper saying that they will not issue any new authorisations for transfers to the US. In addition, Israel’s and Switzerland’s DP Authorities (both declared by the EU to have “adequate” legal regimes) have said that they will not allow transfers to Safe Harbor registered companies.

However, notwithstanding this, the Article 29 Working Party have expressed the view that Standard Contractual Clauses and Binding Corporate Rules can still be used, although it is possible that their position on this will change.

By way of summary, other possible solutions to Safe Harbor include the following:

  • Consent – although it is lawful to transfer personal data with the data subject’s consent, in practice this is not a satisfactory solution on which to rely.  First, in relation to HR data, consent is not deemed to be effective because of the lack of real choice that an employee has.  Second, consent could always be refused or, if given could be revoked (and then what?).
  • Standard Contractual Clauses – a relatively straightforward solution that can be readily put in place, but suited to ‘one-to-one’ transfers, where there are two separate contracting parties, the data exporter and the data importer.  In some scenarios multiple contracts may be needed. In other scenarios, such as where a UK branch of a US co is transferring data to itself, Standard Contractual Clauses may not be effective as there will not be two separate contracting entities unless there is a restructure of some sort.
  • Binding Corporate Rules – a possible solution for international groups with ‘many-to-many’ transfers.  However, to put in place BCRs is a time-consuming exercise.
  • Restructure data flows – restructure your data flows so that personal data does not leave the EEA and thus avoids the issue.  This is a technical solution and not a legal one and may not be practicable for commercial or technical reasons.
  • Self-assessment – the UK Information Commissioner has indicated that international transfers could be made following a self-assessment of the laws of the country of the data importer.  Much depends on the nature of the data that you are transferring and who you are transferring it to and whether the data can be adequately protected after transfer.  This may be helpful for purely intra-group transfers (e.g. of HR data) but does not provide a secure legal basis for transfer to US-based external third parties.

What to do

The European Commission is expected to issue guidance on the consequences of the CJEU’s decision shortly.

Meanwhile, businesses that have been relying on Safe Harbor must consider putting in place an alternative solution.

The EU data protection authorities have said that if, by the end of January 2016, no appropriate solution is found with the US authorities, they are committed to taking co-ordinated enforcement action. One the other hand, the UK ICO has said that they will not be taking any hurried action whilst there’s so much uncertainty around but they don’t offer a specific timeframe.

Therefore, if you have been relying on Safe Harbor for transfers to the US, there could be a relatively short time window in which to put in place a new arrangement.

That said, a blog from the ICO counsels “don’t panic and don’t rush to other transfer mechanisms that may turn out to be less than ideal”.

The first step is to re-assess your position. What personal data you are transferring outside the EU, where is it going to, and what arrangements have you made to ensure that it is adequately protected?

If these arrangements include Safe Harbor, which of the alternative mechanisms could you use? In practice, in many cases, the most convenient option will be Standard Contractual Clauses.

If Standard Contractual Clauses are unsuitable for any reason then it is possible that a new Safe Harbor 2.0 will emerge so it is also reasonable in the short term to “wait and see”, especially with further official guidance expected.

Please contact us for assistance with reviewing your options or in respect of data protection compliance generally.

US Safe Harbor scheme for data transfers ruled invalid

The Court of Justice of the EU ruled on 6 October 2015 that the US Safe Harbor scheme is invalid.

While this outcome is not entirely unexpected, it is a highly significant development for companies involved in the transfer of personal data from the EU to the US, and also for US based service providers providing data services or SaaS solutions to EU based clients. The judgment means that businesses that have relied on Safe Harbor will need to review how they ensure that data sent to the US is transferred in line with the law.

The eighth data protection principle of UK Data Protection Act – reflecting the EU Data Protection Directive – says that personal data shall not be transferred to a country outside the European Economic Area (EEA) unless that country ensures an “adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data”.

You can transfer personal data overseas if you have the individual’s consent. However, this is not a great solution as consent even if given may later be withdrawn and true consent is hard to obtain. In particular, consent will not be valid if the individual – such as an employee of a UK subsidiary being asked to agree that his or her information may be held by the US parent company – has no choice but to give their consent.

Data transfers can be made to any country in respect of which the European Commission has made a ‘positive finding of adequacy’. While countries such as Canada, New Zealand, Israel and Switzerland are on this list, the US is not.

If the transfer is to the US, and the US recipient of the data has signed up to the US Department of Commerce Safe Harbor Scheme under which the transferee undertakes to comply with certain data protection principles, then – until now – this has been recognised as providing “adequate protection”. Over 5,400 US companies are on the Safe Harbor list.

How did this case arise?
An Austrian citizen called Maximillian Schrems was a Facebook user. As for other EU Facebook users, Mr Schrems’ Facebook data was transferred from Facebook’s Irish subsidiary to servers located in the US.

Mr Schrems filed a complaint with the Irish data protection regulator that, in the light of the Edward Snowden revelations in 2013 concerning the mass surveillance monitoring activities of the US intelligence services, and the fact that US intelligence can access personal data of EU individuals, the US does not offer an adequate level of protection against access by US authorities to personal data transferred to the US. Accordingly, Mr Schrems sought an order that Facebook should not transfer his data to the US.

While the Irish authority initially rejected the complaint because Facebook is registered under Safe Harbor, the issue was referred to the Irish High Court and then to the European Court of Justice.

So, what should we do?
The Safe Harbor Scheme is not the only basis on which transfers of personal data to the US can be made. Adequate safeguards can be put in place in a number of ways including:

  • using approved Model Contract Clauses – intended for one-to-one bilateral transfers from a data controller in the EEA to a data controller or a data processor outside the EEA;
  • adopting Binding Corporate Rules – intended for multinational organisations transferring information outside the EEA but within their group.

Businesses that have up to now relied on Safe Harbor will need to review the legal basis for future transfers and may need to implement some alternative solution. There is unlikely to be a quick fix, but specific actions may include:

  • Auditing data transfers and assessing legal risk.
  • Considering alternative data transfer architectures where possible; for example, using service providers who retain data within the EEA, or other approved countries.
  • Implementing Model Contracts with any counterparties, such as group companies or cloud service providers.
  • For intra-group transfers, adopting Binding Corporate Rules within the group.
  • Reviewing if and where data subject consents are being obtained.
  • Checking contractual arrangements in case the loss of the Safe Harbor is a breach of data processing obligations, and if so assess what action to take.

What’s next?
The decision creates uncertainty as to how matters will develop in relation to trans-Atlantic data transfers. It also raises the possibility that other data transfer arrangements (such as the standard clauses for controller-controller or controller-processor data transfers) could also be open to challenge and invalidated.

The UK Information Commissioner recognises that it will take them some time for companies to respond. As such, there is unlikely to be any immediate regulatory action taken in respect of companies that have hitherto relied on Safe Harbor and may now, strictly speaking, be in breach of the eighth data protection principle.

Concerns about the Safe Harbor have been expressed for a while. Indeed, negotiations have been taking place for some time between the European Commission and US authorities with a view to introducing a new, more privacy protective arrangement to replace the existing Safe Harbor agreement – sometimes referred to as Safe Harbor 2.0. While these negotiations are well advanced, it is not known if and when they will come to a conclusion.
Meanwhile, further guidance from the EU and UK Regulators is to be expected within the coming days/weeks.

Please contact us for assistance with reviewing your options or in respect of data protection compliance generally.