At the end of last week the EU Article 29 Data Protection Working Party (“WP29”) met to discuss “the first consequences to be drawn at European and national level” from the European Court’s 6 October judgment in the Schrems case which ruled that the EU US Safe Harbor Decision was invalid, following which the WP29 issued an official statement (which can be found here).
The WP29 is an official independent body made up of the national data protection regulators (the “DPAs”), the European Commission and the European Data Protection Supervisor and it deals with issues concerning the application of EU Data Protection Directive 95/46. Given the status and nature of the work of this key data protection regulatory forum its statement about the European Court’s judgment must be taken very seriously.
In our view, the following three key points come out of this statement.
- Any current transfers under Safe Harbor are unlawful, and the DPAs may be contacting companies using Safe Harbor
The WP29 has said it considers that “it is clear” that data transfers from the EU to the US can no longer be made on the basis of the Safe Harbor Decision, and:
“In any case, [data] transfers that are still taking place under the Safe Harbour decision after the [European Court] judgment are unlawful”.
The WP29 has said that to better inform people about this situation, the DPAs will undertake information campaigns within the EU Member States which:
“[…] may include direct information to all known companies that used to rely on the Safe Harbour decision […].”
By way of comment, businesses who receive such “direct information” should take note that this could be seen as meaning that these businesses are very much on the DPAs’ radars in terms of any possible future enforcement as regards how these businesses address the issue of data transfers between the EU and the US.
The statement concludes that in light of the European Court’s judgment:
“[…] businesses should reflect on the eventual risks they take when transferring data and should consider putting in place any legal and technical solutions in a timely manner to mitigate those risks […].”
The necessity for businesses to take active steps as soon as possible is therefore imperative.
- Enforcement action could start from January 2016
The WP29 has called upon the EU to start discussing in earnest with the US to find “solutions” so that data transfers can be made from the EU to the US which respect fundamental rights. The WP29 has made it clear that, in its view, “massive and indiscriminate surveillance” is a key issue in the European Court’s judgment and that any future decision determining whether an adequate level of protection exists when personal data is transferred “implies a broad analysis of the third country domestic laws and international commitments.” According to the WP29 the “solutions” found by the EU and the US could be found through an intergovernmental agreement or within the existing Safe Harbor negotiations (the latter were going on prior to the European Court’s judgment), which the WP29 has stressed must include regulatory oversight mechanisms.
Further, the WP29 has said that:
“If by the end of January 2016, no appropriate solution is found with the US authorities and depending on the assessment of the transfer tools by the Working Party, EU data protection authorities are committed to take all necessary and appropriate actions, which may include coordinated enforcement actions.”
Failing any possible EU-US agreement (which at this stage is very difficult to predict happening), businesses have in essence 3 months within which to take active steps to get their houses in order, although this is probably less in real time given that this time period covers the holiday season and because many businesses will be preoccupied with other pressing end-of-year activities. Otherwise businesses face the risk of enforcement. Given this risk, the necessity for businesses to take active steps starting now is made more acute.
- Standard Contractual Clauses only realistic option in the short term – but consider a move to Binding Corporate Rules
The WP29 has said that it will continue to analyse the impact of the European Court’s judgment on other data transfer mechanisms, but, in the meantime in this regard, DPAs:
“[..] consider that Standard Contractual Clauses and Binding Corporate Rules can still be used.”
But, the WP29 also says that:
“[…] this will not prevent data protection authorities to investigate particular cases” such as through complaints “and to exercise their powers in order to protect individuals.”
By way of comment, the message here is somewhat ambiguous and doesn’t provide much comfort for businesses.
It should also be pointed out that in theory, although it is understood that this has not been done yet, an aggrieved party could bring a legal challenge to a given set of Standard Contractual Clauses which could eventually work its way through national courts and be referred to the European Court of Justice for a ruling on their interpretation with EU Data Protection Directive 95/46. However, even if brought now, such a challenge would take at least two years to reach the ruling stage at the European Court.
When you consider point 1, that any transfers under Safe Harbor are unlawful from the date of the judgment, and the fact that Binding Corporate Rules take a considerable time to agree, businesses not already using Binding Corporate Rules or transferring data outside of their group will need to rely on Standard Contractual Clauses.
For the future, however, Binding Corporate Rules do still appear to be a viable and more flexible option, although it may take time for a DPA to approve them. We have also written about these as a possible better way forward for businesses to consider, which can be found here.
Approach from individual DPAs
The WP29 has also said that the DPAs:
“[…] consider that it is absolutely essential to have a robust, collective and common position on the implementation of the [European Court] judgment”.
Whilst this may be the stated position the reality may be different. One notable example is the declaration made just before the WP29 meeting (which can be found in English here) by the Schleswig-Holstein DPA in Germany that:
“[…] a data transfer on the basis of [a] Standard Contractual Clause to the US is no longer permitted”
contradicting the WP29’s statement above about Standard Contractual Clauses, and certainly acting prior to the collective common position !
Next steps
We can only stress again that, if your business hasn’t already started doing so, now is the time for your business to take steps and consider doing the following:
- Take stock. Map out your data flows. What information travels outside of Europe ? On what basis? Is it inter-group or is it to third parties ? Has Safe Harbor been relied upon, or do you already have other comfort ?;
- Check your contracts with your third party suppliers who use Safe Harbor. Do they deal with this situation ? It might be time to start a dialogue;
- Equally, if you are a supplier who relies on Safe Harbor to legitimise your processing activities, make sure the European Court’s ruling doesn’t put you in breach of any of your contracts, and perhaps consider reaching out to your affected customers.
And then:
Consider the options available to your business. In summary, at the present time they are:
- Stop transferring personal data to the US – site your servers in Europe, for example. This may be a draconian suggestion for some businesses, but for others this might be a relatively easy switch;
- Put in place Standard Contractual Clauses for data transfer. In many ways, these are a really easy fix. The European Commission has already drafted them for you, and you shouldn’t change any of their terms. But they are legally binding documents which impose obligations on both parties which should be clearly understood – you shouldn’t enter into them lightly. They also need to be entered into between data controller and data processor, and so for suppliers, this can be a time-consuming and paper-heavy process.
- Consider moving to Binding Corporate Rules. We’ve recently discussed this process, and their inclusion in the proposed EU Data Protection Regulation are a signpost to their importance going forward. This shouldn’t be a knee-jerk reaction as Binding Corporate Rules require a corporate “buy-in” to the protection of personal data; but this is indeed their strength, and businesses who took adherence to Safe Harbor seriously may find that they are a long way down the path to making the changes required for Binding Corporate Rules. They are not an overnight solution, however, as even once you have your house in order, the negotiation process with the DPAs can take some months; but you may want to consider getting in quick before they are submersed in requests !
We have reported previously on the outcome of the Schrems case by video and in writing, and you can also hear an interview with Jonathan Armstrong, or listen to two podcasts on the topic here and here,.
Andre Bywater, Gayle McFarlane and Jonathan Armstrong are lawyers with Cordery in London where they focus on regulatory compliance, processes and investigations.
Gayle McFarlane, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH
Office: +44 (0)207 118 2700
André Bywater, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH
Office: +44 (0)207 075 1785
andre.bywater@corderycompliance.com
Jonathan Armstrong, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4H
Office: +44 (0)207 075 1784
jonathan.armstrong@corderycompliance.com