Current status of Data Transfers to the USA
2015 was an eventful year for Data Protection, capped, in my view, by the European Court of Justice’s decision to view the Safe Harbor scheme as inadequate, and to remove it as a basis for data transfers to the US.
The Commission, in its formal communication in October stressed the following points:
- the Safe Harbour arrangement can no longer serve as a legal basis for transfers of personal data to the U.S.;
- the Commission will seek a renewed and sound framework for transatlantic transfers of personal data as soon as possible, which must meet the requirements identified in the ECJ ruling, notably with regard to controls and safeguards on access to personal data by U.S. public authorities;
- other adequacy decisions will need to be amended, to ensure that EU Data Protection Authorities (DPAs) remain free to investigate complaints by individuals.
We are continuing to hear noises about this re-drafting of the Scheme, this time with more engagement from the FTC, and more confidence that the seven Safe Harbor principles will be upheld.
The ECJ Communication set out the alternative basis for transfers of personal data to the U.S., but leaves it to the individual Member States to determine whether such arrangements are acceptable:
- Contractual solutions: contracts between the data exporter and the data recipient could include obligations, such as security measures, information to the data subject, safeguards in case of transfer of sensitive data, etc. Helpfully, the EU Commission offers model, standard contractual clauses on its website, available on its website.
- Binding Corporate Rules for intra-group transfers: this structure allows personal data to move freely among the different branches or subsidiaries of a worldwide corporation. The Rules must first be approved by the DPA in each Member State from which the multinational wishes to transfer data, which can be a time-consuming and expensive process;
- Derogations: transfers of personal data can proceed where certain circumstances exist, such as:
- Conclusion or performance of a contract [including pre-contractual situations, e.g. in order to book a flight or hotel room in the U.S., personal data may be transferred];
- For the purpose of the establishment, exercise or defence of legal claims;
- In the absence of any other justification, where the Data Subject, to whom the data relates, gives their free and informed consent.
Following on from the ECJ recognition that each individual Member State has the ultimate ‘say’ in whether data transfers can proceed, a number of Statutory Authorities have issued position statements – disappointingly, at time of writing, Ireland is not among them.
The following is a summary of those positions, in no order of priority. Sytorus will continue to monitor progress (if any), and once a new arrangement is in place, we will be happy to provide an update. Watch this space!
The Article 29 Working Party
The Article 29 Working Party, which is a committee made up of all of the EU's national data protection authorities, issued a statement in November saying that it was currently reviewing "the impact of the CJEU judgment" on model clauses, BCRs and other mechanisms that enable EU-US data transfers.
Whilst model clauses and BCRs already in place can continue to be used, the Working Party has said there is still the potential for national Data Protection Authorities to examine whether companies relying on those arrangements comply with EU data protection laws.
The Working Party has called on EU and US officials to "find political, legal and technical solutions enabling data transfers to the territory of the United States that respect fundamental rights" by the end of January 2016.
It has said that the National Data Protection Authorities could take enforcement action against companies if "no appropriate solution is found with the US authorities" by the end of January 2016.
Extract from statement of the Information Commissioner’s Office (ICO):
“It is important to bear in mind that the Safe Harbor is not the only basis on which transfers of personal data to the US can be made. Many transfers already take place based on different provisions. The ICO has previously published guidance on the full range of options available to businesses to ensure that they are complying with the law related to international transfers…
Businesses should check the ICO website for details over the coming weeks.”
Various UK legal firms have offered a range of advice on alternative solutions, in the absence of Safe Harbor. According to most of these firms, the simplest and safest way is to put in place a contract with the US recipient that uses Standard Contract Clauses which have been approved by the EU (the model Clauses mentioned above). These clauses must be used unamended and Controllers need to select the one that suits the business relationship best.
If the standard clauses are not appropriate, there are other mechanisms that can be used, such as an ad hoc assessment of the level of protection available and a bespoke contract, although they recognise that “these alternatives come with their own baggage of complexity and risk”.
Not to forget, of course, that if an EU Controller is dealing with a US entity of any substance, the US firm is more than likely to have considered how to deal with the development and have proposals of their own regarding a possible resolution.
Spain’s Data Protection Authority, the Agencia Española de Proteccion de Datós (‘AEPD’), has issued a deadline of 29 January 2016, for the implementation of alternative mechanisms to Safe Harbor. The AEPD imposed the deadline on all companies operating in Spain that had previously notified it of personal data transfers to the United States which were based on the recipient’s Safe Harbor certification. The letter requires companies in Spain to inform the AEPD of the mechanism(s) they have implemented to ensure the “adequate protection” of personal data which is transferred to the United States. No guidelines have been issued as to what constitutes ‘adequate protection’, other than the mechanisms referenced by the ECJ communication (above).
The Czech Republic
The Czech Republic’s DP Authority recommends using EU Model Clauses or BCRs as an alternative to the Safe Harbor basis, and, indeed, for data transfers to all countries outside the EEA.
The Czech Authority does not require companies to respond to it’s guidance, nor does it stipulate a specific timeline in which to take such actions, nor does it mention any potential enforcement actions.
Consequently, the DPA still considers the EU Model Clauses as a valid solution for data transfers to the US.
German Data Protection Authorities have determined that organisations subject to German data protection laws will not be able to agree new Binding Corporate Rules (BCRs) in order to transfer personal data to the US.
The few companies with BCRs already in place will continue to be able to rely on those arrangements at the moment. However, the German Authorities have outlined their intention to closely monitor the measures businesses have in place to safeguard personal data when it is transferred to the US in light of the Court of Justice ruling.
The German authorities also confirmed that they will also not allow companies to put in place new "data export contracts" as a basis for transferring personal data to the US. EU data protection laws allow for personal data transfers outside of the EU where it is necessary for the conclusion or performance of certain contracts.
The statement issued by the DP Authorities significantly limits the steps which German businesses can now take to continue with data transfers from the EU to the US.
They have allowed that companies can transfer personal data to the US on the basis of the data subjects' consent "under strict conditions". However, this will prove extremely cumbersome, and ultimately unworkable, as it could be interpreted that companies might need consent for each transfer of personal data to the US which they make. They said consent obtained in one instance would not justify the repeated, mass or routine transfer of personal data.
The Polish data protection authority (the Inspector General for Personal Data Protection – “GIODO”) has released a statement regarding the Safe Harbor Decision, referring to the Article 29 Working Party’s statement that Standard (Model) Contractual Clauses and Binding Corporate Rules can still be used.
The Italian Data Protection Authority revoked the authorisation, issued in October 2001, by means of which data transfers to the United States by Italian firms were allowed on the basis of the Safe Harbor scheme.
In order to lawfully transfer the personal data overseas, multinational companies, Italian organizations and companies subject to Italian law will therefore have to use other tools, such as the Data Subject’s express consent, the Model contractual clauses or the Binding Corporate Rules (so-called BCR’s).
Switzerland (not an EEA member, but a designated ‘Safe’ country)
Switzerland's federal data protection and information commissioner has acknowledged that the 'safe harbour' framework is invalid in light of the CJEU's ruling.
Swiss firms should therefore implement the following measures:
Data Subjects whose data is transmitted to the United States must be informed, as clearly and as fully as possible, of the possible access to their data by US authorities, in order to enable them (the Swiss Data Subjects) to exercise their rights.
Any contract regarding such a transfer of personal data should include a commitment by the contracting parties in this direction.
The parties to the data transfer must agree to make available to the Data Subject any tools necessary for the effective legal protection of their data, to actually perform the relevant procedures and to abide by the court decisions that result from such action.
Furthermore, it should be noted that in Switzerland, the Data Subject has the right, at any time, to examine in the civil courts any personal data relating to them which is to be transferred to the United States.
The Swiss authority (the FDPIC) asked the parties to any data transfer to make the necessary adaptations to their respective contracts by the end of January 2016.
It continues to study, in coordination with its EEA counterparts, whether additional measures are needed to ensure the protection of fundamental rights.
Israel (another non-EEA ‘Safe’ Country)
Israel's Law, Information and Technology Authority (LITA) has removed a derogation that existed in Israeli law which allowed businesses to transfer personal data to the US from Israel on the basis of the safe harbor regime. Guidance on alternative solutions has not been forthcoming at the time of writing.
The bottom line on all of this appears to be that EU companies are ultimately responsible for the data transfer solutions which they put in place.
They, therefore, need to understand what data they maintain and transfer so that they can develop an approach that allows them to handle any data being transferred internationally within this highly-volatile environment