Personal data transfers from the EU to the US: a new Privacy Shield to replace the Safe Harbor principles

The 1995 European directive on personal data protection allows companies to transfer personal data between Member States without restrictions. (1) However personal data transfers outside of the European Union are prohibited, except to a limited number of countries providing an adequate level of protection (such as EEA Member States and countries ensuring an adequate level of protection subject to a decision from the European Commission). The Safe Harbor principles provided the legal framework for data transfers to the US.

In its ruling dated 6 October 2015, the Court of Justice of the European Union (CJEU) decided to cancel the Safe Harbor privacy principles. (2) Since July 2000, European companies working with US companies adhering to Safe Harbor could transfer personal data legally to the United States. Such data transfers occur between companies belonging to a multinational group located on both sides of the Atlantic, or between a European client company and a service company located in the US (e.g. a US hosting company, a cloud service company or a company providing any types of data management services). With the cancellation of Safe Harbor, personal data can no longer be transferred legally from the EU to the US under these privacy principles.

The European Commission and the United States have been negotiating to set up a new privacy framework to better protect personal data transfers of the European citizens to the United States. The goal of the Commission was to reach an agreement on a “2.0 Safe Harbor” before the end of January 2016. (3) An agreement was reached at the beginning of February 2016 and on 29 February, the text of the EU-US Privacy Shield was released.

We describe below the main principles applicable to the new Privacy Shield framework and recall the other legal “tools” available for European companies which have to transfer personal data to the United States.


1. The main principles of the EU-US Privacy Shield framework

The text of the new EU-US Privacy Shield framework regarding personal data transfers between the European Member States and the United States was published on 29 February 2016. (4)

The purpose of the Privacy Shield framework is to provide protection principles for the personal data of the European citizens transferred to the United States, equivalent to the principles applicable within the European Union. More specifically, with the Privacy Shield, the authorities wanted to fix the issues identified with the Safe Harbor principles and put an end to the mass surveillance practice developed by the US National Security Authority (NSA), disclosed by Edward Snowden in 2013.

The Privacy Shield principles include the following rights which are similar to the rights issued form the EU privacy regulation:
   - a) notice to the data subject regarding the data processed by the organization, details about the data processed and how to contact the company with enquiries and complaints;
   - b) choice to opt out if the data is to be disclosed to a third party or used for a purpose which is different from the original purpose when the data was collected. Sensitive data process is subject to an opt in consent from the data subject;
   - c) accountability for onward transfers to a third party;
   - d) security of the data process against loss, misuse, unauthorized access, disclosure, alteration and destruction;
   - e) data integrity and purpose limitation. As in the EU, personal data collected must be limited to data relevant for the purpose of the processing being carried out;
   - f) access by the data subjects to their personal data to ensure that they can correct, amend or delete their data;
  - g) recourse, enforcement and liability mechanisms for individuals affected by non-compliance with the Privacy Shield.

The main provisions of the Privacy Shield framework, which differ from the Safe Harbor principles, can be summarized as follows:

- Companies will adhere to the Privacy Shield through self-certification. These organizations will be subject to strict compliance obligations. The US Department of Commerce will monitor and verify compliance by the companies which have registered. Companies adhering to the Privacy Shield principles must publicly declare their commitment to comply with the Privacy Shield, disclose their privacy policies (which must be in line with the Privacy Shield principles), and implement the Privacy Shield.

- Access to personal data by the US authorities will be regulated and only allowed for specific purposes, including law enforcement and national security. General access to data is prohibited.

- Several legal redress mechanisms are included in the new arrangement. Such legal recourse rights will be available to European as well as US citizens. One of the issues raised with Safe Harbor was that the European citizens had not legal recourse in the US if a US company using their data and adhering to Safe Harbor did not comply with its legal obligations. From now on, European citizens will have the option among several legal recourse mechanisms in case of personal data misuse:
    (i) Mediation: a mediation service through an Ombudsperson mechanism, independent from the US security services, will be set up within the US Department of State;
    (ii) Complaints to the US data processor: individuals will be able to send a claim to the US companies adhering to the Privacy Shield for problems regarding their personal data. Companies will have to respond to such claims within 45 days;
    (iii) Claims to the national supervisory authority: individuals will be able to send a claim to their national supervisory authority (such as the ICO in the UK or CNIL in France). Each national data supervisory authority will communicate with the Department of Commerce and the Federal Trade Commission (FTC) so that the claims are actually processed and settled;
    (iv) Alternative dispute resolution: an out-of-court settlement mechanism will be available, free of charge;
    (v) Arbitration: an arbitration mechanism will be available as a last resort by a Privacy Shield panel.

US companies may also choose to comply with the advice and guidelines issued by the national supervisory authorities. Companies processing human resources data will however have to comply with such guidelines.

The Department of Commerce will maintain an updated list of current companies adhering to the Privacy Shield and a list of companies which have left the Privacy Shield arrangement.

- Finally, the Privacy Shield framework includes an annual joint review mechanism between the European Commission and the US Department of Commerce, and national surveillance experts working with the US and European data protection authorities. The purpose of this annual reassessment exercise will be to check the effectiveness of the Privacy Shield and the actual compliance regarding access to personal data for law and order and national security purposes.

The main differences between Safe Harbor and the new Privacy Shield principles are the rights of recourse by the European citizens who feel that their personal data has been misused, a strong commitment by the US authorities regarding supervision and enforcement, and a joint annual review process between the EU and US authorities.

However, this new privacy framework is not yet in effect. The European Commission must issue its adequacy decision on the new EU-U.S. the new Privacy Shield, pursuant to article 31 of the 1995 directive on the protection of personal data. The adequacy decision means that the safeguards provided when personal data are transferred under the Privacy Shield are equivalent to data protection standards in the EU. Indeed, absent such adequacy decision, European companies cannot yet transfer personal data to US companies unless an alternative contract is in place. The legal adequacy assessment of the EU-US Privacy Shield will be conducted by the article 29 working party (art. 29 WP - representatives of the national data protection authorities of the Member States).

Meanwhile, European companies that must transfer personal data to the United States may still use the other existing legal tools available for transborder data transfers.


2. The other legal “tools” available to transfer personal data to the US

Until the Privacy Shield adequacy decision of the European Commission is released, the European companies which must transfer data to the United States must implement alternative legal tools. (5)

As experienced with the October 2015 CJEU ruling cancelling Safe Harbor, and with the new annual joint review mechanism of the Privacy Shield, companies adhering to such privacy frameworks are no longer assured of a stable long-term privacy protection environment for their transborder data transfers. The existing legal options are strong and stable alternatives to the Privacy Shield.

Three options are available : the EU Standard contractual clauses (SCC), private ad hoc contracts, and Binding corporate rules (BCRs).

The EU Standard contractual clauses (SCC) are relatively easy to implement subject to identifying the types of Standard clauses that are relevant to the data processes, and have them executed “as is” by each party. Should any of the clauses be amended by the parties, the document will have to be approved by a national data protection authority.

The ad hoc contractual option, is a contract drafted by the parties and adapted to the data process under consideration. This may be the best option. An ad hoc contract is indeed more flexible and adapted than the Standard contractual clauses. It is however necessary to take into account the cost, process and delays to receive an authorization from a national data protection authority. This contractual option may be used between two commercial entities or between affiliates (in lieu of BCRs).

Lastly, the Binding Corporate Rules (BCRs) option can only be used within a multinational group of companies. BCRs are not an alternative to govern the relationship with third party commercial partners or service providers. BCRs also usually require several months to be drafted and approved by a national authority prior to being rolled out within the group of affiliated companies. However, once the BCRs are approved and rolled out, this system is then a stable option.


As a reminder, penalties for illegal cross-border data transfers can reach up to €300,000 and 5 years in prison. This includes data transferred to the United States under the Safe Harbor principles, which are no longer valid.

                                                             * * * * * * * * * * * *

(1) Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data

(2) CJEU, Gd Chamb., 6 October 2015, Maximillian Schrems / Data Protection Commissioner

(3) European Commission - Press release dated 6 November 2015 “Commission issues guidance on transatlantic data transfers and urges the swift establishment of a new framework following the ruling in the Schrems case” : and see our article “Personal data transfers from the EU to the US after the cancellation of Safe Harbor by the CJEU”, published on this blog in December 2015

(4) European Commission - Press release dated 29 February 2016 “Restoring trust in transatlantic data flows through strong safeguards: European Commission presents the EU-U.S. Privacy Shield”

(5) The decision concluding the Umbrella agreement including the Privacy Shield should be adopted by the European Council after obtaining the consent of the European Parliament.


Bénédicte DELEPORTE
Avocat

Deleporte Wentz Avocat
www.dwavocat.com

March 2016

Personal data transfers from the EU to the US after the cancellation of Safe Harbor by the CJEU

In a landmark decision on 6 October 2015, the Court of Justice of the European Union (CJEU) held that the Safe Harbor principles, in effect between the EU and the US since 2000, were invalid. All European companies working with US commercial organizations adhering to Safe Harbor must reassess the conditions under which they are transferring personal data to these entities. (1)

The purpose of this article is to review the main rules governing cross-border personal data transfers and to provide a few answers and solutions following this landmark decision.


1. Personal data transfers outside of the European Union and the cancellation of the Safe Harbor principles

Although the 1995 Data Protection Directive lifted all restrictions to cross-border personal data transfers within the EU, transfers outside of the Union remain prohibited in principle, except in limited cases. (2)

    1.1 Rules governing personal data transfers outside of the European Union

With the globalization of the economy, and even more so with the digital economy, most companies transfer data to third countries, either to their headquarters or affiliates, to subcontractors, or to service providers. While personal data transfers outside of the European Union are prohibited, there are however a few exceptions to this principle. The following cross-border personal data transfers are allowed:

    - data transfers to a country acknowledged by the European Commission as providing a sufficient, or “adequate” level of protection. Only a handful of countries outside of the EU are deemed to have enacted laws providing a level of protection equivalent to those in effect in Europe; (3)
    - data transfers between two entities (exporting and importing data) having signed the EU Standard contractual clauses (SCC) adopted by the European Commission. This contractual solution is applicable either between two data controllers or between a data controller and a subcontractor;
    - data transfers between two or more affiliates within a multinational corporation, subject to that multinational corporation having implemented Binding Corporate Rules (BCRs), applicable among all the affiliates and approved by one of the national data protection authorities (“national supervisory authorities”) such as the CNIL in France or the ICO in the UK;
    - data transferred in exceptional situations, if the data subject has given his consent to such transfer;
    - and until the 6 October 2015 decision, data transfers to the United States, subject to the importing company adhering to Safe Harbor.

The Safe Harbor principles include a set of personal data protection rules, negotiated between the US authorities (US Commerce Department) and the European Commission in 2000, and approved by a Commission decision dated 26 July 2000. (4)

The Safe Harbor principles include rules concerning the protection of personal data, designed after the principles of the 1995 Data Protection Directive. The Safe Harbor framework only applies to those US companies that have voluntarily declared to adhere to the principles. The US Federal Trade Commission (FTC) is in charge of administering the Safe Harbor principles including publishing the list of companies adhering to the system.

However, the Safe Harbor principles were declared invalid by the European Court of Justice on October 6.

    1.2 The Schrems decision

In its decision issued on 6 October 2015, the Court of Justice of the European Union invalidated the Safe Harbor framework, deciding that a national supervisory authority could suspend personal data transfers from the EU to the United States.

The case concerns an Austrian citizen, Maximillian Schrems, a Facebook user since 2008.

The data provided by European Facebook users are stored by its subsidiary, located in Ireland, prior to some of it then being transferred to the United States. Mr Schrems lodged a claim before the Irish Data Protection Commissioner, considering that following Edward Snowden’s disclosure regarding the activities of the US intelligence services (including the NSA and the FBI), the United States didn’t properly protect the personal data provided by the European citizens and residents against surveillance activities. The Irish data protection authority dismissed the claim, arguing that in its 26 July 2000 decision, the European Commission had considered that the United States provided an adequate level of protection of personal data transferred under the Safe Harbor framework.

Mr Schrems then brought an action before the High Court of Ireland which decided to refer  two questions to the CJEU for a preliminary ruling. The Irish judges wanted to know if the 2000 European Commission decision prevented the national data protection authorities from investigating when a data subject claims that a non-EU country doesn’t provide an adequate level of protection to the personal data transferred. Is the plaintif irrevocably bound by the European Commission decision, without any possible legal recourse?

In its 6 October 2015 decision, the CJEU decided that the European Commission should have assessed whether the United States did provide adequate protection, through their legislation or through their international commitments, and at least, “a level of protection that is essentially equivalent to that guaranteed within the European Union by virtue of the European directive, read in the light of the Charter of Fundamental Rights of the European Union.”

The Court noticed that the US authorities practiced massive and indiscriminate surveillance over the data transferred without granting effective legal protection to the data subjects.

US companies are subject to US mandatory laws and regulations which supersede the Safe Harbor principles. According to the Court, the European Commission didn’t research whether the United States did provide an adequate level of protection to personal data, and the US authorities through their massive surveillance program overreached their power to circumvent the privacy principles. The Court decided that the 2000 Commission decision was therefore invalid.

According to the CJEU, even though the European Commission did acknowledge that the United States granted adequate protection to personal data, the national data protection authorities must be able to control whether data transfers of a data subject to a non-EU country comply with the requirements of the 1995 Data Protection Directive.

The Court concluded that if a national data protection authority had doubts about the adequacy decision of the Commission, that authority must be able to bring an action before the national courts so that they may then send the case to the European Court of Justice. The 2000 decision of the European Commission cannot prevent data subjects and the national data protection authorities from such legal recourse.


2. The consequences of the Schrems case: legal insecurity requiring action

Personal data transfers to the United States made under the Safe Harbor principles are therefore no longer valid. This implies that data transfers which were previously valid are no longer legal, but also that it is no longer possible to initiate new personal data transfers under the Safe Harbor principles.

    2.1 Consequences of the Schrems case

- The article 29 working party (art. 29 WP): the French data authority (CNIL) is currently reviewing, together with its colleagues of the art. 29 WP (representatives of the national data protection authorities of the Member States), the legal and operational consequences of the CJEU decision.

In the meantime, the art. 29 WP has requested the national data protection authorities to implement a solution to overcome the current legal insecurity caused by the CJEU decision. In a declaration made on 15 October, the art. 29 WP invited the European institutions to initiate discussions with their American counterparts to find a new system allowing the transfer of personal data in compliance with the European fundamental rights, such decision to be reached by 31 January 2016. (5)

If the parties fail to reach an agreement by this deadline, the national data protection authorities may then “launch any action necessary, including coordinated punitive actions.”

- The national supervisory authorities: further to the CJEU decision, several national authorities have already taken “preventative” measures.

The data protection authorities from the German Länder and the national German supervisory authority have announced that they would no longer authorize new data transfers to the United States, including under the EU Standard contractual clauses or BCR schemes.

The Spanish data protection authority (Agencia Española de Protección de Datos - AEPD) announced that they would send a message to the entities that had declared transferring personal data under the Safe Harbor principles, enquiring about the alternative solutions that they plan to implement.

The Schrems decision has also spread beyond the boundaries of the European Union, including  for those non-EU countries providing an adequate level of protection, regarding their data transfers to the US.

The Israeli data protection authority (Israeli Law, Information and Technology Agency - ILITA) has decided to suspend personal data transfers to the United States.

And the Swiss authority announced that as long as a new agreement with the US government hadn’t been reached, the “U.S.-Swiss Safe Harbor Framework” would no longer be considered as legal basis for transfers of personal data to the US in compliance with the Swiss law on data protection.

Other third countries are also reconsidering the conditions of cross-border data transfers to the United States and other countries.

- The EU Commission: on 6 November 2015, the Commission issued guidance on transatlantic data transfers which will remain effective until a new system is implemented.

The Commission analyzed the repercussions of the Schrems case and proposed alternatives to transfer personal data legally to the United States (including the EU Standard contractual clauses or BCR). (6)

- Toward Safe Harbor 2.0?: the EU Commission had already decided to review the Safe Harbor framework following disclosure by Edward Snowden in 2013 on the surveillance program of the NSA since the American security laws came into effect after the 9/11 terrorist attacks. In November 2013, the Commission issued 13 recommendations to improve the then current Safe Harbor rules.

Since the Schrems decision of 6 October 2015, the EU Commission has been accelerating negotiations with its US counterparts to set up a new framework improving the legal protection for  transfers of European personal data to the United States. The goal is to reach a new framework agreement by the end of January 2016.

    2.2 Data transfers during the interim period

The cancellation of the Safe Harbor principles creates uncertainty for companies that were transferring data cross-border under the Safe Harbor framework.

Can organizations transferring personal data to the United States pursue their operations without switching to a new legal framework until new Safe Harbor rules are issued by the EU Commission? Should they plan for the longer term and implement alternative solutions?

Should all data transfers to the United States be suspended, or should they be confined to Europe, or transferred to a country providing an adequate level of protection?

For data transferred under a cloud computing service agreement, what should the client do if the  US service provider refuses to amend the transfer terms?

The three months deadline to reach agreement on a new Safe Harbor framework may seem “aggressive” and nothing warrants that this deadline will be met by the authorities.

Until the authorities and institutions find a solution and a new 2.0 Safe Harbor framework comes to life, corporations must find legal and technical solutions to limit legal risks and circumvent transfer restrictions. Penalties for illegal cross-border data transfers can reach up to €300,000 and 5 years in prison. 

- Legal and technical compliance audits: as a first step, entities exporting personal data to be processed in the United States should conduct a legal and technical audit of current data transfers as well as a risk analysis. The data processes, types of data transferred and legal regime under which the data are transferred must be clearly identified and characterized. Once a map of the data transfers has been set up, the impacts of the cancellation of Safe Harbor will be assessed on a case by case basis, with a short and a medium term evaluation.

- Compliance solutions: further to the compliance audit, alternative compliance solutions may have to be adopted. Three options can be considered : the EU Standard contractual clauses (SCC), private ad hoc contracts, and Binding corporate rules (BCRs) within a multinational group of companies.

The EU Standard contractual clauses (SCC) may appear as the easier short term option. It is however necessary to identify the types of Standard clauses that are relevant to the data processes, and have them executed “as is” by each party. Should any of the clauses be amended, the document will have to be approved by a national data protection authority.

Unless an agreement is reached with its US service providers to operate under the EU Standard contractual clauses, the European client entity may have no other solution than terminating the current agreement with its American service provider and select an alternative European provider, or a company located in a country providing an adequate level of protection.

The ad hoc contractual option, i.e. a contract drafted by the parties and adapted to the data process under consideration could be the best option. An ad hoc contract is indeed more flexible and adapted that the Standard contractual clauses. It is however necessary to take into account the cost, process and delays to receive an authorization from the national data protection authority. This contractual option may be used between two commercial entities or between affiliates (in lieu of BCRs).

Binding Corporate Rules (BCRs) can only be used within a multinational group of companies and are not an alternative to govern the relationship with third party commercial partners or service providers. BCRs also usually require several months to be drafted, then get approval from a national authority prior to being rolled out within the group of affiliated companies.

The benefit of these alternative solutions to Safe Harbor is their stability and the fact that they can remain the preferred solution after a new Safe Harbor framework is launched. If the authorities reach an agreement on a 2.0 Safe Harbor framework, the Schrems decision recalls that in case of alleged breach of their legal obligations, data subjects have a legal recourse against US companies adhering to the Safe Harbor principles.

                                                        * * * * * * * * * * * *


(1) CJEU, Gd Chamb., 6 October 2015, Maximillian Schrems / Data Protection Commissioner

(2) Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data

(3) The countries providing an adequate level of protection, and to which personal data may be transferred without additional formalities or authorizations are: Argentina, Canada, Iceland, Israel, Liechtenstein, Norway, New Zealand, Switzerland, Uruguay

(4) EU Commission Decision 2000/520 dated 26 July 2000

(5) Brussels 15 October 2015 : “Statement of the Article 29 Working Party”.

(6) EU Commission press release dated 6 November 2015 “Commission issues guidance on transatlantic data transfers and urges the swift establishment of a new framework following the ruling in the Schrems case”


Bénédicte DELEPORTE
Avocat

Deleporte Wentz Avocat
www.dwavocat.com

December 2015