The EU court’s ruling that the widely used Safe Harbor is invalid has caused widespread concern for many businesses. Are transfers of personal data from Europe to the US now illegal? What actions are regulators likely to take? What can organisations do to reduce their risk? We look at these questions in the light of initial responses from EU lawmakers and regulators.
Max Schrems’ complaint against Facebook
Max Schrems’s campaign against Facebook began while he was studying law in California. Facebook privacy lawyer Ed Palmieri came to speak to his class. Schrems was reportedly shocked by his lack of awareness of data protection in Europe.
Schrems has since tackled Facebook on a number of fronts. One of these concerned the transfer of personal data from Facebook’s European HQ in Ireland to the US for processing there. Schrems asked the Irish data protection authority to stop the transfer of his personal data to the US. He complained that US law did not provide adequate safeguards against the surveillance activities of the US public authorities. The Irish regulator said that it could not act because the question had been settled by the EU Commission’s Safe Harbor decision. Schrems then took the matter to the Irish courts, which passed the baton to the European court for a definitive view.
The EU court took a long hard look at the EU Commission’s 15-year old Safe Harbor for transatlantic data transfer, and ruled it invalid.
What is the Safe Harbor?
Europe takes data privacy very seriously. Transfers of personal data outside the EEA are not permitted under Europe’s data protection regime unless appropriate safeguards are in place. Certain countries are recognised as providing adequate protection, but this is not the case for the US. US law favours its own citizens and permits more intrusive government surveillance than would be accepted in Europe. This presents business with a practical problem. Transatlantic data flows are a fact of life now in many spheres. Cloud storage is an obvious example. Service users may have little idea where in the world their data is being stored and processed.
Recognising that data exchange between the US and Europe was increasingly important for businesses, the EU Commission issued a decision in July 2000 to provide a “safe harbour” for certain transfers to the US.
Some 4,000 participating US organisations took advantage of the system organised by the US Department of Commerce. They were required to register and sign up to a set of Privacy Principles, such as notice to individuals and adequate security measures,.
The Safe Harbor has increasingly been called into question, even more so since the revelations of rogue CIA agent Edward Snowden. The German data protection authorities have taken the lead on a stricter approach, calling for data exporters to check whether the Safe Harbor principles are actually followed and that the recipient’s certification is still valid. And back in June, the EU’s Data Protection Supervisor, Giovanni Butarelli, called for swifter progress towards reform.
The response to the Schrems decision
Initially, the response of regulators both at EU level and nationally was to pause and take stock. The EU Commission announced its intention to work with national regulators to come up with new agreed guidelines. The UK regulator, the Information Commissioner’s Office, acknowledged that it would take time for organisations to review their arrangements and ensure that data transfer to the US was compliant. The coordinated group of national and regulators, the Article 29 Working Party, said on 16 October that although it was “clear that transfers from the European Union to the United States can no longer be framed on the basis of the [Safe Harbor]” it effectively deferred taking active enforcement action until the end of January 2016 to allow the negotiations to go ahead.
On 6 November, the Commission issued a more detailed reaction. This reviewed the alternative approaches that organisations can legitimately take to export of data outside the EEA, and reemphasised the Commission’s aim to replace the Safe Harbor as quickly as possible.
Alternatives to the Safe Harbor
The two main alternative approaches permitting data transfer to countries regarded as “unsafe” are:
- Standard Contractual Clauses, or SCCs
The EU Commission has rubber stamped four sets of model clauses that apply to transfers between data controllers, or transfers between a data controller and a processor acting under its instructions. The SCCs deal with security measures, information to be provided to an individual data subject, their rights to access and erase the data etc. They also give concerned individuals the right to bring proceedings in the data exporter’s home state ie within the EU.
Where the SCCs are included in a contract, national data protection authorities should in principle accept them, although some (not including the UK’s Information Commissioner’s Office) impose a pre-authorisation procedure. Importantly, the data recipient will subject themselves to an EU-based regulator by signing up.
- Binding Corporate Rules
For transfers within a multi-national corporate group enforceable rules to be followed by all group entities can be used. These must follow detailed requirements dealing with a range of matters including security of processing, transparent information to individuals, restrictions on onward transfer outside the group, as well as procedural matters such as auditing compliance.
Outside of these clear frameworks, other arrangements are possible to achieve compliance with EU data protection rules. These are based on specific exceptions such as unambiguous consent by the individual, performance of a contract with the individual, defence of a legal claim. Detailed guidance has been provided for certain situations. Where, for example, an individual wants to make a foreign hotel reservation through a website, the booking website can rely on a specific exception for transfers necessary for the performance of a contract. But there has to be a “close and substantial connection” between the data subject and the purpose of the contract. And further transfers for peripheral purposes such as follow-up marketing are not allowed.
Several major corporate groups have issued statements following the Schrems judgment explaining that they base their data transfers to the US on alternative arrangements. Microsoft, for example, explains:
“We recognised the possibility of today’s legal ruling and put in place contingency measures for our enterprise customers. These built on work we’ve pursued for more than four years to increase protections for customers and ensure they are able to comply with laws and regulations when moving to Microsoft’s cloud.”
But ultimately, a decision on whether any set of policies and arrangements are adequate would be made by a data protection regulator on a case-by-case basis.
New impetus for negotiations
The EU Commission has been negotiating with the US authorities since early 2014 to improve the Safe Harbor. Those discussions now have a renewed urgency and the Commission has
“resumed and stepped up its talks with the US government in order to ensure that any new arrangement for transatlantic transfers of personal data fully complies with the standard set by the Court.”
The Commission has said that a new framework for transatlantic data transfer
“remains a key priority” as it “provides the best solution for transatlantic trade as it offers a simpler, less burdensome and therefore less costly transfer mechanism, in particular for SMEs.” It aims to “conclude these discussions and achieve this objective in three months.”
Commissioner Jourova, visiting Washington DC in mid-November to progress the negotiations,said:
“Alternative ways of transferring data are a short-term solution. With the current volume of transatlantic data transfers, it is clear that we need a comprehensive and effective framework in place as soon as possible.”
What should you do? And when?
Despite the promises to get a new Safe Harbor arrangement in place, we cannot be confident that this will be achieved in the time-frame of the unofficial pause by regulators. And even if a new arrangement is agreed, there may be a period of bedding in while US players decide whether they are happy to use it, and make any necessary registrations.
Organisations collecting and using EU citizens’ data may decide that they cannot sit back and wait for this to be achieved. This may be the right time to take a careful look at what data is being transferred to and from the US and to verify that appropriate arrangements are in place to ensure ongoing compliance with the EU’s data protection regime.