Popular Posts

Friday, December 11, 2015

Personal data transfers from the EU to the US after the cancellation of Safe Harbor by the CJEU



In a landmark decision on 6 October 2015, the Court of Justice of the European Union (CJEU) held that the Safe Harbor principles, in effect between the EU and the US since 2000, were invalid. All European companies working with US commercial organizations adhering to Safe Harbor must reassess the conditions under which they are transferring personal data to these entities. (1)

The purpose of this article is to review the main rules governing cross-border personal data transfers and to provide a few answers and solutions following this landmark decision.


1. Personal data transfers outside of the European Union and the cancellation of the Safe Harbor principles

Although the 1995 Data Protection Directive lifted all restrictions to cross-border personal data transfers within the EU, transfers outside of the Union remain prohibited in principle, except in limited cases. (2)

    1.1 Rules governing personal data transfers outside of the European Union

With the globalization of the economy, and even more so with the digital economy, most companies transfer data to third countries, either to their headquarters or affiliates, to subcontractors, or to service providers. While personal data transfers outside of the European Union are prohibited, there are however a few exceptions to this principle. The following cross-border personal data transfers are allowed:

    - data transfers to a country acknowledged by the European Commission as providing a sufficient, or “adequate” level of protection. Only a handful of countries outside of the EU are deemed to have enacted laws providing a level of protection equivalent to those in effect in Europe; (3)
    - data transfers between two entities (exporting and importing data) having signed the EU Standard contractual clauses (SCC) adopted by the European Commission. This contractual solution is applicable either between two data controllers or between a data controller and a subcontractor;
    - data transfers between two or more affiliates within a multinational corporation, subject to that multinational corporation having implemented Binding Corporate Rules (BCRs), applicable among all the affiliates and approved by one of the national data protection authorities (“national supervisory authorities”) such as the CNIL in France or the ICO in the UK;
    - data transferred in exceptional situations, if the data subject has given his consent to such transfer;
    - and until the 6 October 2015 decision, data transfers to the United States, subject to the importing company adhering to Safe Harbor.

The Safe Harbor principles include a set of personal data protection rules, negotiated between the US authorities (US Commerce Department) and the European Commission in 2000, and approved by a Commission decision dated 26 July 2000. (4)

The Safe Harbor principles include rules concerning the protection of personal data, designed after the principles of the 1995 Data Protection Directive. The Safe Harbor framework only applies to those US companies that have voluntarily declared to adhere to the principles. The US Federal Trade Commission (FTC) is in charge of administering the Safe Harbor principles including publishing the list of companies adhering to the system.

However, the Safe Harbor principles were declared invalid by the European Court of Justice on October 6.

    1.2 The Schrems decision


In its decision issued on 6 October 2015, the Court of Justice of the European Union invalidated the Safe Harbor framework, deciding that a national supervisory authority could suspend personal data transfers from the EU to the United States.

The case concerns an Austrian citizen, Maximillian Schrems, a Facebook user since 2008.

The data provided by European Facebook users are stored by its subsidiary, located in Ireland, prior to some of it then being transferred to the United States. Mr Schrems lodged a claim before the Irish Data Protection Commissioner, considering that following Edward Snowden’s disclosure regarding the activities of the US intelligence services (including the NSA and the FBI), the United States didn’t properly protect the personal data provided by the European citizens and residents against surveillance activities. The Irish data protection authority dismissed the claim, arguing that in its 26 July 2000 decision, the European Commission had considered that the United States provided an adequate level of protection of personal data transferred under the Safe Harbor framework.

Mr Schrems then brought an action before the High Court of Ireland which decided to refer  two questions to the CJEU for a preliminary ruling. The Irish judges wanted to know if the 2000 European Commission decision prevented the national data protection authorities from investigating when a data subject claims that a non-EU country doesn’t provide an adequate level of protection to the personal data transferred. Is the plaintif irrevocably bound by the European Commission decision, without any possible legal recourse?

In its 6 October 2015 decision, the CJEU decided that the European Commission should have assessed whether the United States did provide adequate protection, through their legislation or through their international commitments, and at least, “a level of protection that is essentially equivalent to that guaranteed within the European Union by virtue of the European directive, read in the light of the Charter of Fundamental Rights of the European Union.”

The Court noticed that the US authorities practiced massive and indiscriminate surveillance over the data transferred without granting effective legal protection to the data subjects.

US companies are subject to US mandatory laws and regulations which supersede the Safe Harbor principles. According to the Court, the European Commission didn’t research whether the United States did provide an adequate level of protection to personal data, and the US authorities through their massive surveillance program overreached their power to circumvent the privacy principles. The Court decided that the 2000 Commission decision was therefore invalid.

According to the CJEU, even though the European Commission did acknowledge that the United States granted adequate protection to personal data, the national data protection authorities must be able to control whether data transfers of a data subject to a non-EU country comply with the requirements of the 1995 Data Protection Directive.

The Court concluded that if a national data protection authority had doubts about the adequacy decision of the Commission, that authority must be able to bring an action before the national courts so that they may then send the case to the European Court of Justice. The 2000 decision of the European Commission cannot prevent data subjects and the national data protection authorities from such legal recourse.


2. The consequences of the Schrems case: legal insecurity requiring action

Personal data transfers to the United States made under the Safe Harbor principles are therefore no longer valid. This implies that data transfers which were previously valid are no longer legal, but also that it is no longer possible to initiate new personal data transfers under the Safe Harbor principles.

    2.1 Consequences of the Schrems case

- The article 29 working party (art. 29 WP): the French data authority (CNIL) is currently reviewing, together with its colleagues of the art. 29 WP (representatives of the national data protection authorities of the Member States), the legal and operational consequences of the CJEU decision.

In the meantime, the art. 29 WP has requested the national data protection authorities to implement a solution to overcome the current legal insecurity caused by the CJEU decision. In a declaration made on 15 October, the art. 29 WP invited the European institutions to initiate discussions with their American counterparts to find a new system allowing the transfer of personal data in compliance with the European fundamental rights, such decision to be reached by 31 January 2016. (5)

If the parties fail to reach an agreement by this deadline, the national data protection authorities may then “launch any action necessary, including coordinated punitive actions.”

- The national supervisory authorities: further to the CJEU decision, several national authorities have already taken “preventative” measures.

The data protection authorities from the German Länder and the national German supervisory authority have announced that they would no longer authorize new data transfers to the United States, including under the EU Standard contractual clauses or BCR schemes.

The Spanish data protection authority (Agencia Española de Protección de Datos - AEPD) announced that they would send a message to the entities that had declared transferring personal data under the Safe Harbor principles, enquiring about the alternative solutions that they plan to implement.

The Schrems decision has also spread beyond the boundaries of the European Union, including  for those non-EU countries providing an adequate level of protection, regarding their data transfers to the US.

The Israeli data protection authority (Israeli Law, Information and Technology Agency - ILITA) has decided to suspend personal data transfers to the United States.

And the Swiss authority announced that as long as a new agreement with the US government hadn’t been reached, the “U.S.-Swiss Safe Harbor Framework” would no longer be considered as legal basis for transfers of personal data to the US in compliance with the Swiss law on data protection.

Other third countries are also reconsidering the conditions of cross-border data transfers to the United States and other countries.

- The EU Commission: on 6 November 2015, the Commission issued guidance on transatlantic data transfers which will remain effective until a new system is implemented.

The Commission analyzed the repercussions of the Schrems case and proposed alternatives to transfer personal data legally to the United States (including the EU Standard contractual clauses or BCR). (6)

- Toward Safe Harbor 2.0?: the EU Commission had already decided to review the Safe Harbor framework following disclosure by Edward Snowden in 2013 on the surveillance program of the NSA since the American security laws came into effect after the 9/11 terrorist attacks. In November 2013, the Commission issued 13 recommendations to improve the then current Safe Harbor rules.

Since the Schrems decision of 6 October 2015, the EU Commission has been accelerating negotiations with its US counterparts to set up a new framework improving the legal protection for  transfers of European personal data to the United States. The goal is to reach a new framework agreement by the end of January 2016.

    2.2 Data transfers during the interim period


The cancellation of the Safe Harbor principles creates uncertainty for companies that were transferring data cross-border under the Safe Harbor framework.

Can organizations transferring personal data to the United States pursue their operations without switching to a new legal framework until new Safe Harbor rules are issued by the EU Commission? Should they plan for the longer term and implement alternative solutions?

Should all data transfers to the United States be suspended, or should they be confined to Europe, or transferred to a country providing an adequate level of protection?

For data transferred under a cloud computing service agreement, what should the client do if the  US service provider refuses to amend the transfer terms?

The three months deadline to reach agreement on a new Safe Harbor framework may seem “aggressive” and nothing warrants that this deadline will be met by the authorities.

Until the authorities and institutions find a solution and a new 2.0 Safe Harbor framework comes to life, corporations must find legal and technical solutions to limit legal risks and circumvent transfer restrictions. Penalties for illegal cross-border data transfers can reach up to €300,000 and 5 years in prison. 

- Legal and technical compliance audits: as a first step, entities exporting personal data to be processed in the United States should conduct a legal and technical audit of current data transfers as well as a risk analysis. The data processes, types of data transferred and legal regime under which the data are transferred must be clearly identified and characterized. Once a map of the data transfers has been set up, the impacts of the cancellation of Safe Harbor will be assessed on a case by case basis, with a short and a medium term evaluation.

- Compliance solutions: further to the compliance audit, alternative compliance solutions may have to be adopted. Three options can be considered : the EU Standard contractual clauses (SCC), private ad hoc contracts, and Binding corporate rules (BCRs) within a multinational group of companies.

The EU Standard contractual clauses (SCC) may appear as the easier short term option. It is however necessary to identify the types of Standard clauses that are relevant to the data processes, and have them executed “as is” by each party. Should any of the clauses be amended, the document will have to be approved by a national data protection authority.

Unless an agreement is reached with its US service providers to operate under the EU Standard contractual clauses, the European client entity may have no other solution than terminating the current agreement with its American service provider and select an alternative European provider, or a company located in a country providing an adequate level of protection.

The ad hoc contractual option, i.e. a contract drafted by the parties and adapted to the data process under consideration could be the best option. An ad hoc contract is indeed more flexible and adapted that the Standard contractual clauses. It is however necessary to take into account the cost, process and delays to receive an authorization from the national data protection authority. This contractual option may be used between two commercial entities or between affiliates (in lieu of BCRs).

Binding Corporate Rules (BCRs) can only be used within a multinational group of companies and are not an alternative to govern the relationship with third party commercial partners or service providers. BCRs also usually require several months to be drafted, then get approval from a national authority prior to being rolled out within the group of affiliated companies.

The benefit of these alternative solutions to Safe Harbor is their stability and the fact that they can remain the preferred solution after a new Safe Harbor framework is launched. If the authorities reach an agreement on a 2.0 Safe Harbor framework, the Schrems decision recalls that in case of alleged breach of their legal obligations, data subjects have a legal recourse against US companies adhering to the Safe Harbor principles.

                                                        * * * * * * * * * * * *


(1) CJEU, Gd Chamb., 6 October 2015, Maximillian Schrems / Data Protection Commissioner

(2) Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data

(3) The countries providing an adequate level of protection, and to which personal data may be transferred without additional formalities or authorizations are: Argentina, Canada, Iceland, Israel, Liechtenstein, Norway, New Zealand, Switzerland, Uruguay

(4) EU Commission Decision 2000/520 dated 26 July 2000

(5) Brussels 15 October 2015 : “Statement of the Article 29 Working Party”.

(6) EU Commission press release dated 6 November 2015 “Commission issues guidance on transatlantic data transfers and urges the swift establishment of a new framework following the ruling in the Schrems case”



Bénédicte DELEPORTE
Avocat

Deleporte Wentz Avocat
www.dwavocat.com

December 2015

No comments:

Post a Comment