In an update of 6 October 2015 we discussed the landmark ruling handed down by the Court of Justice of the European Union (CJEU) in Maximillian Scherms v. Data Protection Commissioner (Case C 362/14).
Summarily, Mr Scherms raised a concern over Facebook transferring personal data to the US under the Safe Harbor framework. Safe Harbor is a mechanism by which personal data is transferred between European Union Member States and the United States. The CJEU ruled that Safe Harbor is invalid.
This update takes a look at the aftermath of the decision including alternatives to Safe Harbor and the reaction of the business world, the Article 29 Working Party (a committee of EU data protection authorities), the European Commission and the Information Commissioner's Office.
Alternatives to Safe Harbor
There are three main alternatives to Safe Harbor:
- Model Clauses – impose obligations on both the exporter and the importer of the personal data to ensure that the transfer arrangements protect the rights and freedoms of the data subjects. Doubts have been expressed over whether the Model Clauses are a sufficient alternative to Safe Harbor in the long run. Model Clauses affect the whole of your business: data flows will have to be mapped and privacy policies, consumer and business contracts may have to be amended. Irrespective, the principles of good data management remain at its core.
- Binding Corporate Rules (BCRs) – act as a guarantee against the personal data transferred and must be approved by the data protection authorities in each jurisdiction in which the company operates. The principal of mutual recognition negates individual approval on the basis that if the lead authority is satisfied that the BCRs put in place adequate safeguards then other DPA's should accept their findings without any further scrutiny or comment. Nineteen countries follow the mutual recognition principal including the UK, Germany and France. However, every set of BCRs needs to be tailor-made to the particular needs of a given corporation. Therefore, BCRs can lack commercial practicality and be a time consuming solution to achieve.
- Consent – obtained from individuals subject to data transfers. This too is a time consuming process, particularly when dealing with multiple data subjects, and there are challenges over how consent is validly obtained. Consent can also be withdrawn at any time.
Reactions from the business world
Businesses caught up in this data transfer nightmare find themselves at risk of being chastised for following a practice which was once approved by the European Commission. Corporate entities such as Amazon and Google endorsed the use of Model Clauses immediately after the Scherms' decision. This could have proved fatal in the absence of guidance but in a statement released on 16 October 2015 the Working Party confirmed that while current negotiations around a new Safe Harbor are ongoing, Model Clauses and BCRs may still be used.
Reaction from the Working Party
The Working Party's initial statement of 6 October 2015 welcomed the CJEU's decision and the most recent statement of 16 October 2015 reaffirmed that any data transfers occurring post the Scherms decision under Safe Harbor are unlawful. The Working Party approved the interim use of Model Clauses and BCRs and submitted that it is the responsibility of data protection authorities of the Member States and European authorities to commence an open discussion to find "political, legal and technical solutions" to allow data transfer to the US. It is the aim of the Working Party to have a new transatlantic framework by January 2016 which has already been named "Safe Harbor 2.0".
Reaction from the Commission
Commissioner Jourova's speech to the Committee on Civil Liberties, Justice and Home affairs on 26 October 2015 took the opportunity to appease US parties by reaffirming that the court is "not assessing the US system" and to confront sceptics by stating that the European Commission has not been "dragging their feet". The Commissioner hinted at US reluctance by appealing to the Committee and the business world to "convince the US of necessary further steps."
On the prospect of guidance, the Commissioner stated that an explanatory Communication on the consequences of the Scherms decision would be issued "soon" – we still await! She also noted that the new framework may be similar to the self-certification system of Safe Harbor but it will have to provide "effective detection and supervision mechanisms". The US has committed to "stronger" oversight by the Department of Commerce and cooperation with European data protection authorities. The Commissioner's words may have had a comforting tone but in reality we are still without an approved long term framework for data transfer to non-EU countries.
Reaction from the Information Commissioner's Office (ICO)
In a statement on 27 October 2015 the ICO admitted that they cannot create legal certainty where there is none and instead advised businesses not to panic; to take stock of personal data being transferred and make up their own mind about how to adequately protect personal data. Commissioner Jourova's view that the new framework will likely be similar to Safe Harbor but with enhanced protections for individuals subject to data transfers is echoed by the ICO. The ICO highlighted the influential role businesses have urging them so use their influence to push for a strong and effective framework.
How do I protect my business?
The CJEU's decision has, without doubt, caused commercial chaos. The Working Party, the European Commission and the ICO accept that urgent action is required to get the trans-Atlantic data flow moving again. Until such action is confirmed it is recommended that businesses carefully consider data transfers to the US and adopt the interim use of Model Clauses or BCRs. Business owners should keep a close eye on any further statements or guidance from the Working Party, the European Commission and the ICO which might invalidate these mechanisms in favour of a long term solution.
The material contained in this article is of the nature of general comment only and does not give advice on any particular matter. Recipients should not act on the basis of the information in this e-update without taking appropriate professional advice upon their own particular circumstances.