Tracking the aftermath of Safe Harbour – transfers of personal data under intense scrutiny in the EU and further afield
November 23, 2015
It was only ever going to be a short matter of time before the repercussions of the Safe Harbour judgment of the Court of Justice of the European Union (CJEU) in early October started to play out across Europe and beyond.
With the Safe Harbour transfer mechanism declared invalid, national data protection authorities around the world have been scrutinising current transfer methods and looking for solutions for the future. In light of increasing uncertainty over cross-border transfers and the upcoming GDPR, which provides for strict enforcement actions and fines, it is more important than ever to be able to demonstrate that your protection of personal data is operationally adequate.
International reactions to the judgment are worth considering as the various territories have grappled with the issue of how to ensure that data transfers with the US can continue, alongside a compliant data transfer framework:
Statement of the Information Commissioner’s Office of the UK (6 October 2015)
The Deputy Commissioner issued a statement saying that businesses using Safe Harbour will ‘need to review how they ensure that data transferred to the US is transferred in line with the law’ and recognised that ‘it will take them some time for them to do this.’ The Deputy Commissioner urged businesses to bear in mind that Safe Harbour is not the only basis for transferring personal data to the US. The ICO noted the advanced negotiations between the Commission and US authorities, which are working to introduce a new arrangement to replace Safe Harbour.
Statement of the Article 29 Working Party (16 October 2015)
The Working Party, which includes representatives from the national data protection authorities of the EU Member States, was quick to release a statement on the initial consequences of the judgment. Their key message was that transfers that are still taking place under the Safe Harbour Decision are unlawful.
They urgently called on Member States and European institutions to open discussions with the US to find solutions, with Standard Contractual Clauses and Binding Corporate Rules remaining valid, but open to challenge, in the meantime.
A deadline of the end of January 2016 was set for a solution to be found, after which EU data protection authorities are to take ‘all necessary and appropriate actions’, including coordinated enforcement, in order to ensure ongoing compliance. Businesses are called to consider the ‘eventual risks’ in transferring data and are urged to put legal and technical solutions in place ‘in a timely manner’.
Israeli Law Information and Technology Authority action (19 October 2015)
The Israeli Law Information and Technology Authority (ILITA) revoked its authorisation for data transfers to take place to the United States on the basis of the Safe Harbour framework.
Israel is on the ‘White List’ of countries recognised by the Commission as providing adequate protection of personal data and previously allowed for transfers to take place to a country that received data from the Member States, if this took place under the same terms of acceptance. This provided a sufficient foundation for transfers from Israel to the US by way of the Safe Harbour Decision. In the wake of the CJEU judgment, this foundation has crumbled and the ILITA has been quick to remove this authorisation.
Order by the High Court of Ireland (20 October 2015)
The Irish High Court ordered the Irish Data Protection Commissioner to examine Schrems’ complaint regarding Facebook’s European privacy practices, and in particular to investigate whether to suspend the relevant transfers to the United States. The Commissioner has shown a willingness to engage on this matter and released a statement on the day of the CJEU judgment stating her office would ‘immediately engage with our colleagues in other national supervisory authorities across Europe to determine how the judgement can be implemented in practice, quickly and effectively.’
Guidance issued by the Data Protection Authority of Portugal (23 October 2015)
The Portuguese Data Protection Authority (CNPD) issued guidance stating that it will review transfers of personal data to the US taking place under Safe Harbour, which it considers is no longer a legitimate ground for such transfers. In light of the Working Party’s Statement, the CNPD is analysing alternative transfer mechanisms, but it has stated that it will only issue provisional authorisation for transfers to the US.
Position Paper from the Data Protection Authority of Germany (26 October 2015)
The German federal and state Data Protection Authorities issued a Position Paper which reached far beyond the Safe Harbour Decision. As expected, as a result of the CJEU judgment, they announced that data transfers based exclusively on Safe Harbour will be prohibited and have also found transfers based on other instruments, such as Model Clauses and Binding Corporate Rules to be questionable. In light of this, they will not be issuing any new approvals for Binding Corporate Rules or data export agreements to the US. Instead, they have called for companies to immediately design their data transfer mechanisms in a way that complies with data protection law.
Views of the Dubai International Financial Centre (DIFC) (26 October 2015)
The invalidity of the Safe Harbour Decision was stated as providing cause for the Data Protection Commissioner to ‘reconsider the adequacy status previously afforded’ to data transfers to the US under this mechanism, which had previously been granted adequate protection status.
Until there is clarity on EU-US transfers from negotiations of the relevant European and US authorities, the Commissioner has stated that transfers to the US should take place under alternative mechanisms.
Publication by the Information Commissioner’s Office of the UK (27 October 2015)
The Deputy Commissioner published a blog indicating that Safe Harbour was ‘breached but perhaps not destroyed’. It was stated that the CJEU’s judgment ‘did not strike down Safe Harbour itself, but focused on the Commission Decision that had given the assurance to businesses.’ Critically, the Deputy Commissioner considered that ‘there is still a measure of protection for personal data transferred under the scheme’ as the privacy principles that members sign up to are still positive. What has disappeared is the assurance that Safe Harbour is automatically considered to provide adequate protection.
A further consequence of the CJEU’s judgment is that data protection authorities are able to consider complaints even where there is an existing Commission Decision on the issue. The Deputy Commissioner has stated that ‘it’s inevitable that some of the legal certainty that Commission findings of adequacy have provided for businesses in the past may no longer be available, for instance in relation to the adequacy of particular countries and standard contractual clauses.’ While the Deputy Commissioner has stated that these still stand and can be relied on by businesses for the time being, the judgment is considered to ‘cast some doubt on the future of these other mechanisms’.
The ICO has urged businesses not to panic, and not to rush to ‘other transfer mechanisms that may turn out to be less than ideal’, especially as there is a possibility that a new, improved Safe Harbour may emerge. UK businesses were also reminded that they do not have to rely on Commission decisions on adequacy and may instead rely on their own adequacy assessments.
Communication issued by the European Commission (6 November 2015)
The Commission issued a Communication to the European Parliament and Council in light of the CJEU’s judgment, providing an overview of the alternative tools for transatlantic data transfers in the absence of an adequacy decision. The Commission has stated that it ‘remains committed to the goal of a renewed and sound framework’ for transfers to the US and is stepping up its talks with the US government. In the meantime, the Commission has set out following alternative bases for transfers to the US and other countries which have not been found to ensure an adequate level of protection:
- When the data controller adduces appropriate safeguards regarding the protection of the privacy and fundamental rights and freedoms of individuals as well as with respect to the exercise of those rights. Such safeguards can notably be provided by means of contractual clauses, which includes Model Clauses and Binding Corporate Rules.
- When a derogation expressly listed in Article 26(1) of Directive 95/46/EC (the EU Data Protection Directive), as transposed into national legislation across the European Member States, applies. An example of this would be the data subject unambiguously giving their consent to the proposed transfer. If a derogation does apply, the exporting party does not have to ensure that the importing party will provide adequate protection, nor will they usually need to obtain prior authorisation for the transfer. However, these derogations are strictly applied and the Working Party has recommended using a specific legal framework such as Model Clauses and Binding Corporate Rules when the transfers are repeated, mass or structural in nature.
For futher guidance and how PwC can help, please see our Safe Harbour and GDPR Action Plan