What’s this all about?
As you will be well aware, the European Court ruled in the Schrems case last autumn 2015 that the EU US Safe Harbor Decision was invalid (see here for our earlier alert and a short film update). The EU and the US have been in discussion to try and agree a “Safe Harbor 2”, a process which had in fact started before the Schrems ruling but which now has a new pressing impetus.
Not long after the court’s ruling, the EU Article 29 Working Party, which is the independent body made up of the national data protection regulators (and others) that deals with issues concerning the application of the EU data protection rules, issued the following statement:
If by the end of January 2016, no appropriate solution is found with the US authorities and depending on the assessment of the transfer tools by the Working Party, EU data protection authorities are committed to take all necessary and appropriate actions, which may include coordinated enforcement actions.” (see here for more details)
To date, no “Safe Harbor 2” has been agreed and so post end of January enforcement for those who had been operating under the now invalid “Safe Harbor” is a distinct possibility – regulators know exactly who these businesses are and some of them have in fact have already been contacting these businesses. We know action is being planned by regulators in Germany and France.
German regulators will meet on January 27th to work out their position and one, in Hamburg (the Hamburgische Beauftragte für Datenschutz und Informationsfreiheit or HmbBfDI) has already issued compliance questionnaires which it says must be completed and returned by February 15th. It says it will then take action in February:
To prevent any unlawful transmission on the basis of the no longer effective Safe Harbor decision, legal provisions for the enforcement of the decision will be taken from February 2016. This means, in particular, the issuing of prohibition orders or imposition of fines.”
The HmbBfDI action is significant as a number of large US technology corporations have their German base there.
The Article 29 Working Party met again to discuss the situation in Brussels on December 16th and we understand now have another meeting scheduled for February 2nd just after the deadline is set to expire.
What can I do?
In sum, the following are possible actions to take:
- Make a plan;
- The first step of the plan is to map data flows to determine the following: what information travels outside of the EU and on what basis?; is it inter-group or is it to third parties?; are they using Safe Harbor as an exemption, or, do you already have other comfort?;
- Next, check your contracts with your third-party suppliers who use Safe Harbor. Do they deal with this situation? It might be time to start a dialogue;
- Equally, if you are a supplier who relies on Safe Harbor to legitimise your processing activities, make sure that the Schrems invalidity ruling doesn’t put you in breach of any of your contracts, and perhaps consider reaching out to your affected customers;
- Consider the options available to your business. In short, at the present time they are:
- Stop transferring personal data to the US – for example, site your servers in the EU.. This may be a draconian suggestion for some businesses, but for others it might be a relatively easy switch;
- Put in place “Model Contract Clauses”. These are an easy fix as the terms have been fixed by the EU – but, note that you shouldn’t change any of their terms. Also, they are legally binding documents which impose obligations on both parties which should be clearly understood, so don’t adopt them lightly. They also need to be entered into between data controller and data processor, and so for suppliers this can be a time-consuming and paper-heavy process. You might need help with the Appendices too;
- Consider moving to “Binding Corporate Rules” (“BCRs”). This shouldn’t be a knee-jerk reaction as BCRs require a corporate “buy-in” to the protection of personal data, which is in fact their strength, and businesses who were “more seriously” in Safe Harbor may find that they are a long way down the path to making the changes required for BCRs. They are not an overnight solution, however, as even once you have your house in order, they have to be approved by data protection regulators and the negotiation process can take some months. BCRs are also not a catch-all solution, and, some data protection authorities currently have no BCR option for data transfers in their jurisdiction. See here for more about BCRs.
Please do contact us about any of the above issues as we’ve lots of experience in dealing with these issues. Details of Cordery’s data protection practice can be found here and details of our training solutions can be found here.
Jonathan Armstrong and André Bywater are lawyers with Cordery in London where their focus is on compliance issues.
Jonathan Armstrong, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH
Office: +44 (0)207 075 1784
André Bywater, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH
Office: +44 (0)207 075 1785