Last fall, the European Court of Justice (ECJ), Europe’s highest court, issued a judgment invalidating the U.S.-EU Safe Harbor Framework for the transfer of European personal data to the U.S. EU authorities have affirmed the illegality of transfers that are still taking place under the Safe Harbor Framework and have indicated their intention to take all necessary and appropriate actions, including enforcement actions, as early as February 2016, in the absence of a new Safe Harbor agreement.
Of additional concern is the fact that the alternative arrangements available to U.S. companies, such as the use of standard contractual clauses or binding corporate rules, have also come under recent scrutiny by data protection authorities in the wake of the Court’s decision.
Also see: "
Uncertainty continues in the wake of the decision, which has accelerated negotiations on a renewed Safe Harbor agreement. At this point in time, the best course of action may be to evaluate the potential risks associated with transferring data from the EU under current EU law and consider putting in place any legal and technical solutions to mitigate those risks.
What happened?
In the case ofMaximillian Schrems v Data Protection Commissioner, the ECJ found that the Safe Harbor Framework did not provide an adequate level of protection, because personal data is accessible to U.S. authorities for surveillance purposes. The framework permits U.S. authorities to disregard the Safe Harbor Privacy Principles without limitation where they conflict with national laws, national security, public interest, or law enforcement requirements. The Court held that this effectively interferes with the fundamental rights to respect for private life and protection of personal data.
What now? Data transfer options post-Safe Harbor
With the Safe Harbor Framework now officially invalid, all EU data transferred to the U.S. (including data already stored in the U.S.) are considered unlawful unless an alternative basis for transfer is used that adduces appropriate safeguards.
With the Safe Harbor Framework now officially invalid, all EU data transferred to the U.S. (including data already stored in the U.S.) are considered unlawful unless an alternative basis for transfer is used that adduces appropriate safeguards. Such safeguards can be provided through:
· Standard Contractual Clauses (SCCs) approved by the European Commission or a competent supervisory authority that would permit the lawful transfer of data outside of the EU. (As mentioned earlier, some EU national data protection authorities have called into question the adequacy of the SCCs in light of the ECJ ruling.)
· Binding Corporate Rules (BCRs) for intra-group transfers establishing a single set of internal rules and procedures which ensure that the same standards of protection are applied to data transfers within the organization throughout the globe.
Transfers are also permissible if one of the derogations set out in the Article 25(6) of the Privacy Directive applies. These identify specific circumstances where either the data subject has given unambiguous consent or there are contractual or legal reasons that necessitate a data transfer that is in the interest of the data subject.
What next? A new Safe Harbor?
The U.S. and the EU have been negotiating a new Safe Harbor Framework since January 2014, shortly after Edward Snowden revealed the sweeping nature of U.S. surveillance activities. There appears to be general agreement on a new framework, and the Commission intends to conclude negotiations with the U.S. by the end of January 2016, after which time national data protection authorities may take enforcement action. A new Safe Harbor would once again provide a less burdensome basis for the lawful transfer of data that would be recognized by all EU data protection authorities.
A new EU general data protection regulation?
Last December, the Parliament and the Council of the EU reached agreement on a new data protection regulation to harmonize EU data protection standards and bring them in line with the requirements of the digital age. The new General Data Protection Regulation, expected to be adopted in early 2016, will be a single law immediately binding on all EU member nations after a two-year transition period. It aims to give individuals greater control of their personal data and simplify the regulatory framework and processes for businesses.
What companies can do
Companies that have been transferring data under the Safe Harbor Framework will need to identify alternative paths for compliant personal data transfers, whether through SCCs, BCRs, or available derogations. The prospect of enforcement action, in the absence of a new Safe Harbor Framework, looms as early as February 2016.
Some organizations might consider a completely different route to compliance by finding ways to avoid transferring EU data to the U.S. If the data remains in the EU, then the issue of data transfers disappears. Amazon has been a forerunner in this regard, and its EU customers can now choose to have their data stored in either Dublin or Frankfurt. Following the Schrems decision, it is likely that many other large U.S.-based organizations will accelerate plans to localize data storage in the EU rather than transfer it to the U.S.
