Developments following the European Court’s 6 October 2015 Schrems ruling that declared data transfers under Safe Harbor invalid continue apace with the publication of an official 16-page Communication from the European Commission of 6 November. Please refer to our main alert for the background and our comments (including 3 videos) on the Schrems judgment and its consequences along with practical suggestions for businesses to take now to comply.
The specific aim of the Communication is to “provide an overview of the alternative tools for transatlantic data transfers under [the EU Data Protection Directive] in the absence of an adequacy decision.” In our view the following are the most notable points that come out of this statement:
- Model Contracts – the Commission gives full support to the use of Model Contracts, in contrast to recent statements made by some EU Data Protection Regulators/Authorities (“DPAs”), such as in Schleswig-Holstein and Rheinland-Pfalz in Germany, which we reported on here. The Commission’s view is that even in EU Member States where permission from DPAs is required to use Model Contracts (and remember that permission may not be needed in Germany in any event) this has to be automatically granted if the Model Contracts are used without having been amended (i.e from the existing standard European Commission model clauses);
- Binding Corporate Rules (for intra-group transfers) (“BCRs”) – the Commission gives full support to BCRs and highlights the fact that, because most EU Member States require authorisation of BCRs, in order to facilitate and speed up that process a standardised application form can be used coupled with a procedure under which one DPA will act as lead to handle the authorisation process;
- Derogations – if there is no Adequacy Decision (explained below) and irrespective of the use of Model Clauses or Binding Corporate Rules, certain derogations (or exceptions) may be used for data transfers from the EU. Whilst the Commission also continues to support the use of these, the Commission acknowledges that “due to their exceptional character, the Article 29 Working Party considers that these derogations have to be strictly interpreted”, and, concerning the consent derogation, “In light of [its] limitations the Article 29 Working Party takes the view that consent is unlikely to provide an adequate long-term framework for data controllers in cases of structural transfers”; and,
- Adequacy Decisions – the Commission has previously considered that ten places (mostly countries including Argentina, Canada, Israel, New Zealand and Switzerland) ensure an adequate level of protection for data transfers from the EU. The Commission will now amend these decisions to specifically ensure that DPAs are able to investigate complaints by individuals in connection with these.
What power does the Commission have to influence DPAs?
The simple answer is perhaps not much. Under the current EU data protection regime (and this may change with the New EU Data Protection Regulation – see here for our FAQs on this) data protection enforcement is set by the DPAs in each EU member state enforcing their local law. As the Schrems decision has made clear the European Commission cannot make decisions which bind DPAs, especially when it comes to Safe Harbor. As the Commission itself notes, the Communication is “without prejudice to the independence and powers of the DPAs to examine the lawfulness of such transfers”. At best then the Commission’s comments are persuasive.
Given the nature of the Commission’s role in data protection matters there is a risk that, for example, following a complaint, a DPA might still choose to scrutinise a business’ data transfer arrangement. In addition, and despite the Communication trying to put some unity in place, in light of the comments of some DPAs (as noted above) the approach of some DPAs might not be consistent. They might, for example, adopt a stricter approach than the Commission, particularly where (as seems likely) a direct complaint is made. There are reports of some DPAs already writing to the European subsidiaries of companies on the Safe Harbor register to ask them what plans they have in place post-Safe Harbor. These communications are likely to increase as the Article 29 Working Party’s suggested January 2016 deadline gets nearer.
Currently, where feasible, Model Contracts may still be the best way forward for businesses to consider putting in place as a stop-gap, as we have previously pointed out, at least until “Safe Harbor 2” is agreed (see below). We do not advocate waiting to see what happens with the Safe Harbor 2 negotiations before taking action. This could put you in the awkward position of being in the firing line for having taken no action to protect data transfers since the Safe Harbor decision was made invalid on 6 October.
For the longer term, but starting now, consideration should also be given to adopting BCRs. Our earlier article here explains the BCR system.
Model Contracts should minimise risk, but bear in mind that Model Contracts are not foolproof and could still be challenged before the European Court and in light of the Court’s approach to Safe Harbor a strict approach to Model Contracts could be equally expected from the Court. In addition, they are contracts which expose both parties to liability, as any contract does, and they should be read carefully and understood. We have seen a trend of vendors trying to bolt on extra terms to the Model Contracts – make sure you understand what these do. In some cases, they are just to deal with structural issues where group companies are involved, in others they add additional processing provisions which may have been overlooked in the original processing agreement. However, we have also seen structures where a contract is presented as being a solution for Safe Harbor issues, but instead also acts to disadvantage the customer or ring-fence liability for the provider for processing which is unrelated to protecting the transfer of data. Care needs to be taken with Model Contracts as a result.
Additionally BCRs are also not a total solution – as we have also pointed out before, for example, the Portuguese DPA’s official response to the Schrems ruling stated that BCRs are not an option yet in Portugal.
Despite the existence of derogations, not only are they of use in just a narrow set of situations (and some are more of use for public authorities than businesses), the one requiring consent is subject to several conditions and cumbersome and heavy on resources for a business to apply.
The Commission intends to make only a limited amendment to the existing Adequacy Decisions, but, in light of what the Schrems ruling says about the problematic issues around governmental access to electronic communications, and, of legislation not allowing individuals legal remedies to get access to data or to get it rectified or erased, we wonder if the Commission will also have to undertake a wider review and take these factors into consideration. If a wider review is undertaken, that could lead to a more radical rethink about some of the Adequacy Decisions, especially as regards the issue of whether there is legislation in the places concerned that allows individuals legal remedies to get access to data or to get it rectified or erased. Businesses currently relying on the Adequacy Decisions will therefore need to follow developments in this area carefully.
Safe Harbor 2
We’ve also been following developments with a replacement for the current Safe Harbor regime. The European Commission is currently negotiating with the US on the basis of 13 Recommendations that the Commission set out in 2013. European Commissioner Jourová said the following in Washington DC in a 16 November speech:
“I’m confident that we will meet the deadline of January 2016 for a new agreement on international commercial data transfers. Why ? Because we have clear guidelines from Europe’s highest court. Because we can build on discussions held since January 2014. Because it is in both Europeans’ and Americans’ interest. And finally, because there is a strong political commitment at the highest level on both sides of the Atlantic. We have shown with the Umbrella Agreement in the area of law enforcement that we can agree on common approaches on data protection, we should now repeat it in [the] area of commercial data transfers.”
Whilst we share some of the sentiments we think that lasting agreement by January 2016 is somewhat optimistic. Again, remember that the European Court’s judgment talks specifically about the need for the US to restrict governmental access to electronic communications, and to put legal measures in place for European citizens to get redress. These will be very difficult issues for the EU to get US agreement on.
It is also clear that Safe Harbor is very much on the minds of a number of pressure groups. Last week a number of them from both sides of the Atlantic joined together to petition both the European Commission and the US Secretary of State with their wish list for Safe Harbor’s replacement. The group includes Digital Rights Ireland, Liberty, Privacy International, Public Concern at Work, Privacy Rights Clearinghouse and the Electronic Privacy Information Center. You can see their wish list here.
There are also dark threats to Safe Harbor 2 already from some of those involved with the challenges of the original Safe Harbor scheme. As we have said in our earlier alerts (see here) there have been challenges to Safe Harbor since at least 2008. German regulators had indicated that companies should not place total reliance on Safe Harbor status in 2010. Given the head of steam that has built up it is hard to see Safe Harbor 2 being more litigation-proof than the original.
Although many are of course keen to see the EU and the US reach agreement overall we still urge businesses to not wait for resolution of this international process but to address the issues themselves in the meantime and do so as soon as possible.
You can find all of Cordery’s Schrems and Safe Harbor news, commentary and videos at our microsite here which includes practical advice for businesses.
Jonathan Armstrong and André Bywater are lawyers with Cordery in London where their focus is on compliance issues.
Jonathan Armstrong, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH
Office: +44 (0)207 075 1784
André Bywater, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH
Office: +44 (0)207 075 1785