Following the approval of the EU-US Privacy Shield on 1 August 2016, the ICO has published a blog summarising the “what, why, and how” of transferring data from the UK to the USA.
Whilst it remains the case that:
the eighth data protection principle requires organisations that wish to transfer personal data outside of the EEA to ensure an adequate level of protection for data subjects; and
the European Commission has not deemed the USA as providing such adequate level of protection,
transfers to the USA are “adequate” if the organisation receiving the personal data is certified under the EU-US Privacy Shield.
The ICO makes it clear that any organisation still relying on the predecessor to the EU-US Privacy Shield, the Safe Harbor scheme, to transfer personal data from the UK to the USA needs to review their position. Seeking to continue to rely on the Safe Harbor scheme on its own will mean that an organisation is acting in breach of the Data Protection Act.
As a first step, the ICO recommends that any organisation looking to transfer data to the USA should ensure that the receiving organisation is certified under the EU-US Privacy Shield – if the receiving organisation is not certified you will need to rely on other ways to legally transfer the personal data to the USA.
At the present time, these include the model contractual clauses and binding corporate rules. However, the ICO is aware that such methods, whilst currently valid, are not free from uncertainty. This is not least because the model contractual clauses have been referred to the EU court by the Irish data protection regulator as to whether these clauses provide the adequate level of protection for international data transfers.
The ICO intends to issue guidance for organisations on international data transfers early in the Autumn – watch this space.
Laura Monro is an associate in the commerce & technology team at City law firm Fox Williams LLP and can be contacted at firstname.lastname@example.org
The EU has approved a new framework for transfers of personal data from the EU to the US, called the EU-US Privacy Shield. The Privacy Shield will replace the old ‘Safe Harbour’, which was ruled invalid in October 2015.
According to the EU, the EU-US Privacy Shield is fundamentally different from the old ‘Safe Harbor’. Like Safe Harbor, it is a self certification process. However, it imposes stronger obligations on companies handling the data to make sure that the rules are followed and enforced in practice.
Also, for the first time, the U.S. has given the EU written assurance that the access of public authorities for law enforcement and national security will be subject to clear limitations, safeguards and oversight mechanisms and has ruled out indiscriminate mass surveillance of European citizens’ data. Privacy Shield also provides some mechanisms for redress including a specific ombudsman.
Registration for Privacy Shield can begin 1 August 2016. US companies that wish to take advantage of Privacy Shield can benefit from a nine month grace period to get into compliance if they register for Privacy Shield before end September 2016. So this does not give much time to decide about this and take action.
Unfortunately, while Privacy Shield is a very welcome development, it does not mean that the whole vexed issue of transfers from the EU to the US has been resolved. The Article 29 Working Party – made of the European data protection regulators – have been critical of certain aspects of Privacy Shield, which raises the possibility that Privacy Shield will itself be subject to challenge at some point.
In addition, the EU Model Clauses – the main enabling solution for transfers of personal data from the EU – has also been referred to the EU court by the Irish data protection regulator and could possibly suffer the same fate as Safe Harbor.
Privacy Shield – progress, but not the legal certainty that businesses need.
Nigel Miller is a partner in the commerce & technology team at City law firm Fox Williams LLP and can be contacted at email@example.com
A couple of days after expiry of the 31 January deadline, political agreement has been reached for a new arrangement for data transfers from the EU to the US, to be known as the “EU-US Privacy Shield” (aka Safe Harbor 2.0).
This follows the European Court of Justice decision in October 2015 in the Schrems case that the (old) Safe Harbour arrangement was invalid.
The new arrangement will provide stronger obligations on US companies to protect the personal data of Europeans and stronger monitoring and enforcement by the US FTC.
To facilitate the data flows, the US has been forced for the first time to give a commitment that access by US public authorities to the personal data of EU citizens will be subject to clear conditions, limitations and oversight. The US has also given an assurance that it will not conduct mass or indiscriminate surveillance of Europeans.
US companies wishing to import personal data from Europe will need to commit to robust obligations on how personal data is processed and individual rights are guaranteed. The Department of Commerce will monitor that companies publish their commitments, which makes them enforceable under US law by the FTC.
It is very common for EU based subsidiaries of US groups to transfer HR data to the US parent. Under the EU-US Privacy Shield any US company handling HR data from Europe will have to commit to comply with decisions by European DPAs.
In addition, Europeans who consider that their data has been misused will be able to raise any enquiry or complaint with a dedicated new Ombudsperson.
While it is remarkable to reach agreement on such matters within such a short space of time, underlining the political urgency, it’s not all done yet. The EU have to prepare a draft “adequacy decision” in the coming weeks. And the US have to put in place the new monitoring mechanisms and new Ombudsman. We continue to watch the space!
Meanwhile, bear in mind that Safe Harbor / the EU-US Privacy Shield is not the only solution to data transfers from the EU to the US and we continue to work with many companies to put in place other solutions, such as contracts based on model clauses or binding corporate rules.
First proposed in January 2012, agreement has finally been reached between the European Commission, the European Parliament and the Council (the so-called ‘trilogue’) regarding a new General Data Protection Regulation (GDPR).
Current data protection rules are based on the 1995 Data Protection Directive, which predates mainstream internet, social media, big data, the cloud and other advances in technology which shape the way business operates today. It’s a classic case of legislation not keeping pace with technological development; its overhaul is well overdue.
A key benefit of the GDPR will be a single harmonised data protection law covering the whole of the EU. At present, each EU state has implemented its own version of the 1995 Directive and differences can apply in different member states.
The main highlights are summarized as follows:
A stricter regulatory environment
Reflecting ever increasing concerns about how personal data is used in the digital economy, and the continuous flow of news reports about data security breaches, the GDPR imposes a much higher burden of compliance on business. Specific points include:
Fines – the maximum fine for breach of the GDPR is to be set at 4 per cent. of a company’s worldwide turnover. Currently the maximum fine under the DPA is £500,000. This alone should be enough to put the GDPR onto every Board’s agenda.
Easier access to data: individuals will have (and businesses will be required to provide) more information on how their data is processed and this information should be available in a clear and understandable way.
Consent – a new more expansive and specific definition of consent requires that it must be a “freely given, specific, informed and unambiguous indication of his or her wishes” by which the data subject, either “by a statement or by a clear affirmative action”, signifies agreement to personal data relating to them being processed.
Additional administrative burden – businesses must keep a record of any data processing activities under their responsibility (referred to as documentation) and must carry out data protection impact assessments (DPIAs) if they are processing date using new technologies and this is likely to result in a high risk to personal data.
Rules for innovation – the regulation requires that data protection safeguards are built into products and services from the earliest stage of development (privacy by design). Privacy-friendly techniques such as pseudonymisation are encouraged by the GDPR, to allow the benefit of big data innovation while protecting privacy.
Data protection officers – companies will be required to appoint data protection officers if they process sensitive data or collect information from consumers on a large scale. This will be an additional cost to many companies, although there is an exemption applicable to SMEs – see below.
Data processors – the GDPR treats data processors as data controller if they process personal data otherwise than in accordance with the data controller’s instructions and subjects data to processors fines for breaches of the GDPR; under current rules, in general, only the data controller is responsible for compliance.
Data breach notification – companies and organisations must notify the national supervisory authority (that’s the ICO in the UK) of serious data breaches as soon as possible so that users can take appropriate measures.
As well as the above, the new rules strengthen existing rights to include:
a right to data portability – the GDPR will make it easier for consumers to transfer personal data between service providers such as social network platforms and SaaS service providers;
right to be forgotten– EU citizens will have a stronger right to require that their data is deleted provided that there are no legitimate grounds for retaining it, which may require a business to rethink its current policy on data retention and deletion.
Impact on non-EU businesses – the new rules will apply to companies who do not have a physical presence in the EU but offer services in the EU and collect data about EU data subjects. This will, for example, affect many US companies that provide services into the EU.
International data transfers – the position regarding transfers of data outside of the EU is unsatisfactory, highlighted by the recent invalidation of the Safe Harbor framework in respect of transfers to the US. However, it seems that the position under the GDPR will be largely unchanged from the current position.
One continent, one law – The GDPR will establish one single set of rules for the whole of the EU which will make it simpler and cheaper for companies to do business in the EU.
One-stop-shop – businesses will only have to deal with one single supervisory authority.
Exemptions for SMEs
Under the new rules, SMEs benefit from certain exemptions to reduce the burden of compliance:
No more notifications: the requirement to notify to / register with the ICO is to be scrapped.
Subject access: Where requests to access data are manifestly unfounded or excessive, SMEs will be able to charge a fee for providing access.
Data Protection Officers: SMEs are exempt from the obligation to appoint a data protection officer insofar as data processing is not their core business activity.
Impact Assessments: SMEs will have no obligation to carry out an impact assessment unless there is a high risk.
Before the GDPR becomes law, the final text must be formally adopted by the European Parliament and Council, which is set to happen at the beginning of 2016.
The new rules will then become applicable across the EU two years thereafter.
This is an update following our earlier item “US Safe Harbor scheme for data transfers ruled invalid” which can be found here.
Article 29 Working Party opinion
The EU data protection authorities – known as the Article 29 Working Party – have discussed the consequences of the European Court of Justice (CJEU) decision.
First, they have expressed the opinion that data transfers to countries where the powers of state authorities to access information go beyond what is necessary in a democratic society will not be considered as safe destinations for data transfers from the EU. Therefore, the Working Party is urgently calling for open discussions with US authorities in order to find political, legal and technical solutions to enable data transfers to the US. The current negotiations around a new Safe Harbor could be a part of the solution.
These discussions between the EU Commissioner and US authorities are ongoing, but it is not known if and when they will reach a conclusion. However, it is understood that any new agreement on Safe Harbor 2.0 will involve a new “self-certification” system but with greater oversight and enforcement by EU and U.S. authorities than was the case with Safe Harbor 1.0.
In the meantime, the EU data protection authorities are clear that transfers from the EU to the US can no longer be framed on the basis of “Safe Harbor”. Transfers that are taking place under Safe Harbor after the CJEU judgment are therefore unlawful.
How might this affect you?
You could be affected by this decision if, for example, your parent company is a US company and your HR or customer data is held by the parent company on servers in the US.
You could also be affected if you are one of the many EU-based companies that use Software-as-a-Service (SaaS) solutions which are hosted in the US where the service provider is under Safe Harbor – such as Amazon Cloud or Salesforce.
Similarly, if you are a US based vendor to data controllers located in the EU and your customers have relied on your Safe Harbor certification, then you need to put in place an alternative solution in order to maintain your EU business.
Other solutions to Safe Harbor
Logically, other solutions, such as Standard Contractual Clauses and Binding Corporate Rules, could also be challenged on the same ground as Safe Harbor. Indeed, the German DP Authority has issued a paper saying that they will not issue any new authorisations for transfers to the US. In addition, Israel’s and Switzerland’s DP Authorities (both declared by the EU to have “adequate” legal regimes) have said that they will not allow transfers to Safe Harbor registered companies.
However, notwithstanding this, the Article 29 Working Party have expressed the view that Standard Contractual Clauses and Binding Corporate Rules can still be used, although it is possible that their position on this will change.
By way of summary, other possible solutions to Safe Harbor include the following:
Consent – although it is lawful to transfer personal data with the data subject’s consent, in practice this is not a satisfactory solution on which to rely. First, in relation to HR data, consent is not deemed to be effective because of the lack of real choice that an employee has. Second, consent could always be refused or, if given could be revoked (and then what?).
Standard Contractual Clauses – a relatively straightforward solution that can be readily put in place, but suited to ‘one-to-one’ transfers, where there are two separate contracting parties, the data exporter and the data importer. In some scenarios multiple contracts may be needed. In other scenarios, such as where a UK branch of a US co is transferring data to itself, Standard Contractual Clauses may not be effective as there will not be two separate contracting entities unless there is a restructure of some sort.
Binding Corporate Rules – a possible solution for international groups with ‘many-to-many’ transfers. However, to put in place BCRs is a time-consuming exercise.
Restructure data flows – restructure your data flows so that personal data does not leave the EEA and thus avoids the issue. This is a technical solution and not a legal one and may not be practicable for commercial or technical reasons.
Self-assessment – the UK Information Commissioner has indicated that international transfers could be made following a self-assessment of the laws of the country of the data importer. Much depends on the nature of the data that you are transferring and who you are transferring it to and whether the data can be adequately protected after transfer. This may be helpful for purely intra-group transfers (e.g. of HR data) but does not provide a secure legal basis for transfer to US-based external third parties.
What to do
The European Commission is expected to issue guidance on the consequences of the CJEU’s decision shortly.
Meanwhile, businesses that have been relying on Safe Harbor must consider putting in place an alternative solution.
The EU data protection authorities have said that if, by the end of January 2016, no appropriate solution is found with the US authorities, they are committed to taking co-ordinated enforcement action. One the other hand, the UK ICO has said that they will not be taking any hurried action whilst there’s so much uncertainty around but they don’t offer a specific timeframe.
Therefore, if you have been relying on Safe Harbor for transfers to the US, there could be a relatively short time window in which to put in place a new arrangement.
That said, a blog from the ICO counsels “don’t panic and don’t rush to other transfer mechanisms that may turn out to be less than ideal”.
The first step is to re-assess your position. What personal data you are transferring outside the EU, where is it going to, and what arrangements have you made to ensure that it is adequately protected?
If these arrangements include Safe Harbor, which of the alternative mechanisms could you use? In practice, in many cases, the most convenient option will be Standard Contractual Clauses.
If Standard Contractual Clauses are unsuitable for any reason then it is possible that a new Safe Harbor 2.0 will emerge so it is also reasonable in the short term to “wait and see”, especially with further official guidance expected.
Please contact us for assistance with reviewing your options or in respect of data protection compliance generally.