In the wake of the CJEU 'Schrems' decision, many organisations find themselves in the eye of the storm but with no clear course to navigate. Ultimately, the solution to personal data transfers to the US (i.e. Safe Harbour 2.0) needs to be hammered out by politicians. In the meantime, many organisations must decide whether to sit tight and wait for the storm to pass (and hope for the best) or to batten down the hatches as best they can.
Jump to our action points for organisations exporting personal data out of the European Economic Area (EEA) here.
Deciding what to do next will be a risk-based decision that pivots around factors such as the nature of the personal data being transferred outside of the EEA country and the size and nature of the organisation.
The Article 29 Working Party's statement of 16 October and the European Commission's opinion of 6 November (see more on this below) are key to deciding what to do next.
Various opinions from national data protection regulators have also been issued and these will also be important when deciding on next steps/priorities for personal data flows from particular EEA countries. These regulator statements are crucial for understanding which regulators will take a less 'sanguine' approach than others. In this update we give an overview of two contrasting approaches (UK and Germany).
Working Party Statement of 16 October
The Schrems invalidation of Safe Harbour had immediate effect and allowed no transition period, which immediately rendered personal data transfers to the US solely based on Safe Harbour unlawful.
The Article 29 Working Party (the "Working Party"), an independent advisory board of representatives from the data protection authorities of the EU Member States, initially released a press release on 6 October announcing the decision of the Court of Justice of the European Union (CJEU) and indicating that it will enter into a round of discussions. The Working Party then followed up with a statement on 16 October indicating that national data protection regulators will allow a short 'reprieve' until the end of January 2016 to allow data exporters to put in place alternative arrangements.
Their 16 October statement also called for a solution-finding process to enable personal data transfers to the US in a way that addresses the CJEU's criticisms in the Schrems decision. In essence, the downfall of Safe Harbour was the perceived lack of respect for the fundamental rights and remedies of EEA citizens once their personal data found its way into the hands of government bodies through wide rights of surveillance. Further detail can be found in our update on the Schrems case.
On the upside, organisations have been granted a period of reprieve, but on the downside it was also revealed that this is the calm before the storm. This reprieve is a limited period in which to get prepared. The Working Party went on to express the commitment of the European data protection authorities to initiate coordinated enforcement proceedings should no solution with the US authorities be found by 31 January 2016.
Safe Harbour 2.0 is definitely on the cards and efforts have been renewed to finalise the '13 point plan' for Safe Harbour. But is it likely that Safe Harbour 2.0 will have been resurrected like a phoenix from the ashes by January 2016? Although the European Commission's communication of 6 November (more of which below) is helpful and hopeful, in reality having a fully agreed and implemented Safe Harbour 2.0 by the end of January 2016 is overly optimistic.
European Commission 6 November communication
On 6 November, the European Commission issued a press release and a communication to the European Council and Parliament on personal data transfers to the US in which most notably they:
- Confirm the invalidity of Safe Harbour (not that by this stage we were in any doubt);
- Give a timeframe within which they are aiming to agree Safe Harbour 2.0 - three months. Although it is useful to set a timeframe, whether they will be able to stick to it will be another matter. In practice, even if it does only take another three months to reach agreement (taking us to the start of February 2016), this doesn't necessarily mean the new framework will be set up and ready for organisations to start self-certifying themselves with the FTC (if that is how the new framework will operate). In their concluding remarks the Commission appears to indicate that organisations should not in the meantime 'wait and see' - "Until such time as the renewed transatlantic framework is in place, companies need to rely on the alternative tools available." Given Model Contracts can take months to put in place (and of course if you are relying on an existing third party provider to agree to them - it may never happen) and Binding Corporate Rules ("BCRs") can take years, this seems rather a tall order;
- Confirm that other mechanisms for personal data transfers remain valid. Amid the debate about whether other mechanisms remain valid (given they are subject to some of the same challenges that were faced by Safe Harbour) and particularly as some EEA countries have stated they might not be, this is helpful. Model Contracts (which are referred to as Standard Contractual Clauses or 'SCCs') and BCRs are specifically mentioned, as are certain permitted transfers which might take place on an ad hoc basis, such as where necessary to fulfil a contract with the data subject, to defend against legal claims or (as a last resort) with unambiguous, freely given, retractable consent. The communication goes on to give an overview of other tools available for transatlantic personal data transfers. Notably, it does not mention any form of 'self-assessment' of adequacy as a mechanism for data transfers. While the UK's Information Commissioner's Office (ICO) refers to adequacy in its recent statement on Safe Harbour, it should not be assumed that other data protection regulators take the same approach;
- Confirm that adequacy findings for non-EEA countries still stand and that it is not for data protection authorities to find otherwise (this is the role of the CJEU). While data protection regulators can examine adequacy they would need to refer to national courts who can ask for a ruling from the CJEU. This clarification is helpful - country findings of adequacy and approved mechanisms for data transfers will not disappear overnight (or be subject to conflict findings from national data protection regulators) but this does mean that they could be challenged via the official route;
- Comment on what national data protection regulators can do, and more importantly, what they do not have the power to do. Of particular interest is the comment that 'Since Commission decisions are binding in their entirety in the Member States, incorporating the SCCs in a contract means that national authorities are in principle under the obligation to accept those clauses. Consequently, they may not refuse the transfer of the data to a third country on the sole basis that these SCCs do not offer sufficient safeguards'. Possibly a gentle nudge aimed at the German data protection authorities who have commented that they will be suspending all Model Contract and BCRs approvals for the time being (more on this below); and
- Highlight the often overlooked point that compliance is not just about putting data transfer arrangements in place. In essence what they are getting at is that, if fundamentally the data collection and use is not compliant with data protection law, then putting a Model Contract in place is not going to help you.
Safe Harbour position papers from regulators
Several Member States' data protection authorities have issued position papers on the Safe Harbour ruling to outline their understanding of the decision and how they intend to go about implementing it into their daily practice. There is a striking contrast between the approach of the German and the UK data protection regulators, illustrating that the prudent data controller attempting to re-assess its personal data transfer strategy needs to factor in a risk assessment based on the country from which personal data is transferred. Some jurisdictions clearly will be higher risk than others.
- Weighing in at one end of the scale, the German data protection authorities published a joint position statement with the federal data protection officer which takes a very strict view of the Schrems decision. Most notably:
- The data protection authorities intend to prohibit all data transfers solely based on Safe Harbour as soon as they learn about them;
- They will not grant any permissions for data transfers based on BCRs or data transfer agreements (including Model Contracts) for the time being;
- Consent can constitute a legitimate basis for transfer of personal data in very exceptional circumstances only, and the data protection authorities also question the permissibility of data transfers to the US based on the model clauses or BCRs.
The reason for this stringent approach is that these instruments do not protect the transferred personal data from what is considered unacceptably wide rights of access by the US authorities, nor do they provide legal remedies for the non-US data subjects.
While this is logical, the practical consequence of this approach is no legitimate transfers of personal data to the US. For many, simply stopping transfers of personal data to the US (whether to group companies or third party providers) is not an option. This therefore leaves many organisations in a quandary with no easy solution. The European Commission is clearly conscious of this issue, and its comments to the European Council and Parliament of 6 November are helpful.
By contrast, a similar point is also noted by the ICO) in its opinion published in a blog dated 27 October 2015. It seems, though, that the ICO is taking more of a "let's wait and see" approach to this and also towards enforcement, than the German authorities.
While the ICO stresses that companies need to take inventory of their data transfers and the implemented protection measures (and recognizes that this may be a difficult task for many players in the field), it also advises not to panic or resort to other measures without thoughtful consideration. They flag that rushing to put other measures in place, might not necessarily give the required protection either.
However, what they have not said (unlike the German regulator) is that they intend to prohibit all data transfers to the US as soon as they find out about them. Instead, they offer a glimmer of hope by gently referencing the possibility (for the UK, at least) to carry out your own assessment of adequacy. Not an ideal solution (because it still leaves a level of uncertainty as to whether the regulator will agree with your assessment) but better than nothing.
However, all parties refer to the ongoing negotiations about the development of a new Safe Harbour, a Safe Harbour 2.0. The EU's Commissioner for Justice, Consumers and Gender Equality, Věra Jourová, highlighted in a speech given before the Committee on Civil Liberties, Justice and Home Affairs (LIBE) on 26 October 2015 that the negotiations regarding a renewal of the Safe Harbour framework between the EU Commission and the US Department of Commerce (DoC) are continuing with increased speed and priority.
While she refers to the already identified 13 Recommendations of 2013 designed to achieve a heightened level of protection through the Safe Harbour framework, she also explains the Commission's view of the ruling and how it intends to address the concerns expressed by the CJEU in its negotiations with the US DoC, the essence of which are:
- The US legal system needs to provide for safeguards that are globally equivalent to the ones in Europe, but not necessarily identical.
- The CJEU deems a system of self-certification acceptable provided that it contains effective detection and supervision mechanisms which the DoC intends to deliver through stronger oversight, stronger cooperation with the European data protection authorities, and priority treatment of complaints by the Federal Trade Commission.
- The Commission and the DoC intend to put in place an annual joint review mechanism to cover all aspects of the functioning of the new framework to allow for adaptations and continuing adequacy.
- Safeguards and limitations of surveillance by law enforcement and national security in the US need to be put in place. There already are reform steps such as the USA Freedom Act and the President's instructions to the intelligence community through the Presidential Policy Directive 29. Further attempts are being made to extend the judicial protection under the US Privacy Act to EU citizens. However, these necessary restrictions seem to be the biggest hurdle in the process and require careful understanding of both sides' position.
What should you be doing now?
It is clear enough that the Working Party's view is that Safe Harbour can no longer be relied on. That leaves only one realistic option for bulk transfers of personal data to the US - Model Contracts.
None of the press releases, opinions, position statements or other publications provides any kind of certainty. There is currently no fail-safe way for companies to proceed. That does not, however, mean that you should do nothing.
What you can be doing is:
- Map personal data flows to the US (and ideally also to other non-EEA countries as well). This will involve getting to grips with where the information is entered onto systems, where it is stored, where it is backed up and where it is either sent to or can be accessed from. It is no small task (particularly for larger organisations) but is fundamental to understanding what data protection compliance measures need to be implemented and the risks of not doing so (given risks can vary depending on laws in any given EEA country and the views of the regulators on data transfers);
- Review the underlying justifications for data flows that are identified. For example, does the head office really need to see certain staff related information, does the HR team in the US really need access to all HR files on the system (including those of European staff), can the third party providers provide their services to you using anonymised information or does it need to be personal data?
- Check the safeguards put in place by recipients of personal data. A fundamental compliance requirement when it comes to personal data (regardless of whether sent outside of the EEA or not) is that it is protected by adequate technical and organisational security. Do you know whether the security in place for all data flows is adequate for the nature and volume of data and also the relevant country? For example, is data encrypted (in transit and at rest) with restrictions on who can de-encrypt and is the encryption sufficiently strong? This might particularly be a consideration in countries where government access to personal data is a concern (such as the US) but with the emphasis in the proposed Data Protection Regulation on technology that renders personal data unintelligible - encryption should become the norm not the exception.
- If your organisation was formerly Safe Harbour certified, consider whether you need to change privacy notices and other representations made about your Safe Harbour certification.
- Check third party contracts for reliance on Safe Harbour for the purpose of transferring your organisations' personal data to the US. If you suspect the personal data transfers issue was missed during contract negotiations with any particular providers, check whether they are on the Safe Harbour certification list with the Federal Trade Commission (which is still available on their website). This will give you an indication of whether they do transfer personal data outside of the EEA and whether this includes their customers' data.
- Conduct a very thorough and strict risk analysis regarding transfer and the recipient, also consider the type of data and business of the organisation. This needs to be a highly individualized process and can mean very different things for different companies, so there is no "one size fits all" approach to the situation but will likely include factors such as:
- Personal data type and volume;
- The country from and to which the data is transferred. For example, a transfer from the UK (where the regulator is taking a pragmatic approach) to Canada (a country which the European Commission has already issued a finding of adequacy for the purpose of personal data transfers) is going to be low risk compared to a transfer from Germany to the US;
- Whether your organisation is likely to draw the gaze of regulators. This might be because of previous complaints to the regulator or if your organisation was formerly Safe Harbour certified or if you are a larger/high profile organisation holding large volumes of personal data or you have access to sensitive information.
- Following this process and based on its outcome, organisations need to consider alternate or additional measures that can be put in place and priorities for putting those measures in place. It might be that the outcome of the risk assessment is to 'wait and see' but this should be an informed and considered risk based judgement, particularly bearing in mind the 'wait and see' approach may be riskier than putting in place alternative arrangements (even if imperfect).
What are the alternative measures that can be put in place?
In practice, the most viable option is likely to be use of European Commission approved Model Contracts. Putting in place Model Contracts will be faster than implementing BCRs. That said, the effort involved in putting Model Contracts should not be underestimated - they need to be completed with details of the data flows and for transfers to non-EEA data processors, technical security details also need to be completed.
In some countries the model clauses will need approval/notification with the relevant European regulators. It is not an overnight solution - for some organisations, by the time they get through the process, Safe Harbour 2.0 may have emerged like a phoenix from the ashes.
- Consent is the least desirable option as it is revocable, and seldom can be regarded as freely given in an employment relationship (given the imbalance of power between employer and employee). More generally (whether employee data or not) the fact that it is revocable means it is highly impractical for anything but ad hoc personal data transfers. However, in individual cases it is a preferable tool for transfers as it can usually be obtained quickly and without too much paperwork.
- BCRs are internal rules that an organisation gives itself for the handling of personal data, and it is approved by the data protection authorities and thereby recognized as providing adequate protection. Note that it is only applicable within the boundaries of one organisation, so only to internal data transfers, not to or from external organisations. They require careful drafting following the analysis process, and the entire process is likely to take anywhere between 12 and 24 months or even more. You may also find that in the interim, you still need to put Model Contracts in place.
- Self-assessment of adequacy - this is not an option for every EEA country but for countries such as the UK, this could be considered as an alternative. This is not an ideal option given it leaves a level of uncertainty as to whether the relevant regulator would agree.