Keep up to date with our latest insight pieces, news and industry developments. See below for the latest posts or use the categories to hone your search for stories of interest.
Rather listen? The WABChats Podcast provides engaging and informative conversations with contacts, clients, advisors and friends of White & Black Limited. Listen Now.
Personal data transfers to the US after Schrems – where are we now?
In October 2015, the Court of Justice of the European Union (CJEU) in Maximillian Schrems v Data Protection Commissioner (Case C-362/14) declared that the US-EU Safe Harbor arrangement for transferring personal data from the European Economic Area (EEA) to the US was invalid, thereby removing one of the most widely used methods for transferring personal data from the EU to the US.
On 6 November 2015, the European Commission (Commission) issued a Communication (Communication) to the European Parliament and Council on the transfer of personal data to the US, following the invalidation of Safe Harbor. This followed a statement issued on 16 October 2015 by the Article 29 Working Party (A29WP), the EU’s independent data protection advisory body, urgently calling on the EU institutions to find a new framework for transatlantic data-flows.
The A29WP also confirmed that if no appropriate replacement is found by the end of January 2016, the EU’s national data protection authorities (DPAs) may take all necessary enforcement action. With little time remaining before the 31 January 2016 deadline, the Communication provides guidance on current alternatives to Safe Harbor, and an update on the negotiations between the EU and US for a new framework to replace it.
What are the alternatives?
The Communication recognises the pressing need for certainty, and refers to the A29WP guidance which urged data controllers (i.e. businesses which determine how and why personal data is collected) to put in place legal and technical solutions to mitigate any possible risks they face when making such transfers.
To assist businesses in assessing their compliance options post-Schrems, the Communication sets out three main alternatives for transferring personal data to the US:
- Contractual solutions:Often the most practical option is to enter into a data transfer contract using the Commission’s approved ‘Model Clauses’, which aim to compensate for the absence of an adequate level of protection in the country receiving the data by placing strict contractual obligations on the parties. It also allows data subjects with third party rights to bring claims in the event of breaches. The Communication confirms that DPAs are in principle under an obligation to accept contracts incorporating Model Clauses as providing adequate protection for the data.
- Intra-group transfers: A multi-national group of companies may adopt binding corporate rules (BCRs), which are a single set of internal rules on the international transfer of personal data within the group that have been approved by the relevant DPAs. Whilst this dispenses with the need to put potentially numerous individual Model Clause contractual arrangements in place for intra-group transfers outside the EEA, obtaining BCRs requires a significant level of investment and is not an option in the short term for responding to Schrems.
- Consent:In the absence of Model Clauses or BCRs, personal data may be transferred to a non-EEA country if the data subject has unambiguously given his or her prior consent. There are limitations, however, with the Commission echoing the A29WP in recognising that consent is unlikely to be a reliable option for businesses which carry out repeated, mass or structural transfers of personal data outside the EEA due to the strict requirements to be met when obtaining consent, difficulties in relying on consent from employees, and the fact that it can be withdrawn.
Replacement of Safe Harbor?
The Commission has stepped up its existing talks with the US authorities with the aim of putting in place a new and stronger framework for data transfers, which addresses the deficiencies raised in the Schrems judgment.
These talks build upon progress made since January 2014, when the Commission initiated negotiations after identifying a number of shortcomings to Safe Harbor following the Edward Snowden revelations in 2013. In a speech made on 16 November during a visit to the US, Commissioner Jourová provided a progress update in which she stated that:
- The US has so far committed to moving the new system from a purely self-regulating one (which was the case under Safe Harbor) to one that is subject to proactive oversight. This will involve greater involvement from the US Department of Commerce, and stronger and regular cooperation between DPAs and their counterparts at the Federal Trade Commission.
- The biggest challenge to the negotiations is agreeing how to place clear conditions and limitations on the access to personal data by US national security and law enforcement bodies, with sufficient judicial control.
- The Commission is confident that a new framework will be agreed by January 2016, against a backdrop of strong political commitment from both sides.
The Communication provides helpful guidance at a time of great uncertainty for businesses operating internationally. Many questions remain unanswered, however, and doubts raised by the A29WP and certain DPAs as to the validity of the Model Clauses and BCRs have only heightened concerns. The January 2016 deadline for ‘Safe Harbor 2.0’ is looming, and DPAs are facing pressure to take action where necessary in relation to data flows to the US. The data protection activist who brought the original case against Safe Harbor, Mr Schrems, recently made further complaints to the Irish, German and Belgian DPAs requesting that they suspend all data flows from Facebook’s servers in Ireland to the US.
The Schrems judgment has also offered opportunities for forward-thinking businesses to use the anxiety surrounding data protection compliance to attract new EEA customers. For example, certain service providers have taken pro-active steps to offer services where only EEA-based servers are used to store and process personal data, thereby removing the need for data to be transferred outside the EEA. Customers should however remain vigilant and ensure they have full transparency on the entire data processing chain before signing up with a ‘EEA-locked’ service to ensure that personal data for which they are responsible is not transferred outside the EEA in connection with any aspect of the service, for example in connection with support and maintenance services and when the service is experiencing peak demand.
Disclaimer: This article is produced for and on behalf of White & Black Limited, which is a limited liability company registered in England and Wales with registered number 06436665. It is authorised and regulated by the Solicitors Regulation Authority. The contents of this article should be viewed as opinion and general guidance, and should not be treated as legal advice.