1. Why is this an issue?
The EU’s personal data protection legislation (and so the legislation of each EU Member State that implements it) is based on a “high level of protection” and so transfers to any place where the protection is not adequate are in principle prohibited. Data legislation in the USA does not provide a similar level of protection. (Here we refer to EU, though the data transfer rules also apply to Iceland, Liechtenstein and Norway as part of the EEA.)
2. How did transfers happen up to now?
The European Commission is able to decide that a particular place has a sufficient level of protection (it has done this for Andorra, Argentina, Canada (commercial organisations), Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay). In the case of the US, a self certification process overseen by the US Department of Commerce was put in place and transfers to entities who participated were deemed to provide a sufficient level of protection.
It is also possible to create a presumption that EU standards will be met by processors or data controllers in other countries by contractual terms (the European Commission has created so-called stadnard contractual clauses also known as “Model Clauses” for this purpose – other contractual terms are permitted, but the Model Clauses in unamended form should automatically be deemed to be sufficient), or by Binding Corporate Rules (see below) between entities in the same group of companies or other similar contractual safeguards. Finally (least attractive but still possible) specific authorisation from a Member State’s data protection authority can always be applied for.
3. What’s changed?
In October 2015 the EU Court of Justice has decided that the European Commission’s Safe Harbour decision not only (i) does not prevent national data protection authorities from investigating whether transfers are carried out with sufficient protection; but (ii) is invalid as the Safe Harbor system does not bind US authorities, may be overridden by national security, public interest or law enforcement requirements, and does not provide legal protections against interference with data subjects’ fundamental rights or enable them to pursue legal remedies.
So we can no longer rely on the Safe Harbour scheme in order to permit transfers to the USA, whether to a third party or to one of our group companies. Transfers relying on that scheme are either now prohibited or subject to express authorisation from the relevant EU Member State’s data protection authority.
4. What can we do?
The most immediate solution is to use the Model Clauses and get them signed by all group companies or third parties receiving our data in the USA. The Model Clauses are available here. There are clauses for “controller to controller” transfers and “controller to processor” transfers.
Note that the Swiss-US Safe Harbor scheme is not affected by the judgment – however, the Swiss Data Protection Commissioner has indicated that “additional agreements” “should” be entered into in order to ensure sufficient protections.
For multinational groups there is also the possibility of using “Binding Corporate Rules” (“BCRs”) for intra-group transfers which may include the USA or any other places. This consists of a type of harmonised group wide code of practice intended to ensure that EU-style standards are met for data flows anywhere within the corporate group. This can have advantages of not requiring signatures from all group companies or separate agreements for different transfers. However, they must meet various detailed content requirements (see WP153 here), and require approval from at least one lead EU data protection authority (not all EU Member States mutually recognise approvals and so some additional approvals can be required) plus identification of the group entities covered, as well as evidence that the rules are binding. BCRs cannot be put in place quickly. They are also not recognised by all EU Member States (as at July 2015, not by Portugal and Hungary for example) and certain national data protection regulators will still require filings before transfers are made, so they may not make a good immediate Safe Harbor replacement.
As an immediate measure, all businesses need to review their data flows to the USA, whether to other group companies or US-based processors. Although some EU regulators may be willing to grant some reasonable transitional period, if any have relied on the Safe Harbour for EU-US transfers, then the most effective immediate course is to sign the appropriate Model Clauses. BCRs may also be something for larger groups to consider, though as noted above there is a more or less onerous approval process to be gone through which may take several months. The court’s decision was based on a complaint from an individual raising concerns over transfers of their data and such a complaint could affect anyone controlling or processing data at any time.
Signing the Model Clauses may present something of a challenge for large groups needing multiple signatures; and it is possible that in future the Model Clauses might not be permitted for use with the USA (on the understandable logic that the EU Court of Justice’s objections related not so much to the Safe Harbor concept but to concerns over possibilities of generalised surveillance by US authorities). However, until there is a binding decision that confirms this they remain legal and are the most effective “gateway” for allowing international transfers without prior regulatory approvals. Microsoft has notably used this path, among others. The EU ‘Article 29’ regulators’ Working Party also came together to say that they are still usable (for now – slightly ominously the Working Party referred to “coordinated enforcement action” if no further solution is found by end of January 2016). For the future, the European Commission and regulators have stressed that the priority is to negotiate a different acceptable solution, but that will necessitate changes to US legislation as well as a new EU-US agreement. The ideal outcome may be that those legislative changes allow the Model Clauses to continue in use, as well as creating a new legal arrangement which allows business to continue as normal.
READ THIS NEXT: EU-US Data Transfers: Update July 2016 – Privacy Shield agreed