Following the recent decision by the Court of Justice of the European Union invalidating the adequacy of the EU-US Safe Harbor framework – which we discussed here – the EU’s Article 29 working party has issued its first formal statement in response.
The working party is composed of representatives from the national data protection authorities (DPAs) of the EU Member States, the European Data Protection Supervisor and the European Commission, so its views have been awaited with interest given that the CJEU’s decision highlighted the importance of a DPA’s assessment of the adequacy of cross-border data transfers. The European Commission has also provided remarks on the CJEU’s judgment and issued an explanatory communication on the consequences of the ruling which is consistent with the working party’s statement.
Key messages from the Article 29 working party statement
Whilst the working party’s statement was not as clear in all respects as might have been hoped, the key messages were that:
- The DPAs believe a robust, collective and common position on the implementation of the CJEU judgment is required.
- Transfers taking place purely on the basis of Safe Harbor are unlawful.
- A new, negotiated “Safe Harbor 2.0” could be part of the solution in the future.
- In the meantime, the Article 29 working party will continue to analyse other available transfer tools. During this period, the EU Model Clauses (also known as Standard Contractual Clauses) and Binding Corporate Rules (BCRs) can still be used to legitimise cross-border transfers.
- These alternative transfer mechanisms may be subject to investigation by DPAs to protect individuals in “particular cases”, for example where a complaint is made.
Interestingly, although the working party statement makes clear that transfers based on Safe Harbor are unlawful, it does not explicitly say that those transfers should stop immediately.
The working party also mentions the end of January 2016 as a date by which EU Member States and institutions need to find an alternative long-term solution with the US authorities (such as Safe Harbor 2.0). If a solution does not emerge by then, then, subject to the working party’s ongoing analysis, DPAs are committed to taking further action (which may include coordinated enforcement action).
How likely is DPA enforcement action before 31 January 2016?
This suggests that enforcement action by a DPA before 31 January 2016 is unlikely, although such action is not explicitly ruled out. In practice, it would seem that companies which have been relying on Safe Harbor have until that date to put alternative solutions (most likely EU Model Clauses) in place.
So, whilst there is some uncertainty as regards the timeline for potential enforcement activity, companies should start considering alternative compliance tools and put matters in motion until a more satisfactory cross-border compliance solution (like Safe Harbor 2.0) is finalized – so that they at least they can demonstrate having considered the issue if they are investigated.
Practical steps companies can consider now
With that in mind, we have set out below a summary of some of the key consequences of the CJEU’s judgment and the related practical steps which we suggest affected companies should be taking to address their on-going privacy compliance in the immediate wake of that judgment.
Discussions to finalize Safe Harbor 2.0 are still ongoing, and the BCRs process is too lengthy and expensive to make it a realistic option for most companies. The alternatives to EU Model Clauses or BCRs are therefore fairly limited and include: accept non-compliance risk for now; ask for consent to allow data to be transferred (not a viable option for most B2B companies) or rely on one of the other so called “derogations” under the European Data Protection Directive (of which very few are likely to apply to most businesses); or move servers to Europe.
1. Put in place Model Clauses
As a result, it looks like most businesses will have no choice but to adopt and implement the Model Clauses. Unfortunately, you cannot just print and sign them. They require consideration as to which type of the three Model Clauses available is appropriate.
Whereas all of a company’s data exports (whether customer, employee, CRM or vendor data) may have previously been covered under a single Safe Harbor certification, different Model Clauses may be needed depending on whether the data is being exported on a controller-to-controller basis (typically the case for CRM, employee and vendor data), or a controller-to-processor basis (typically the case for customer data). Any Model Clauses-based option may there therefore need to be broken down into separate Model Clause solutions and the roles of the parties exporting and importing the data carefully assessed.
If customer data is being exported on a controller-to-processor basis (typically the case for most cloud service providers, for example), EU businesses exporting that data may require that US data importers execute Model Clauses. If you are a US company, it would therefore be sensible proactively to approach customers with a revised data processing agreement which annexes the Model Clauses, as some large providers have already done. This can be a good way to shore up trust with European customers (and in any case, in certain countries such as Germany, there is already a requirement to have a detailed data processing agreement, which could be supplemented with Model Clauses).
However, there are unfortunately a number of practical challenges that are going to make it difficult for US businesses to implement a “quick fix” that works across each European country. For example: requirements for using Model Clauses vary in each Member State (some require the Model Clauses to be filed, whilst others require the prior approval of the local data protection authority before they can be used); local laws may apply in each set of Model Clauses; it can be difficult to apply Model Clauses to sub-processors and sub-sub-processors who are involved with processing activities; explaining to local data protection authorities what will happen if the NSA ask to see data (or explaining that they never have, where that’s a true statement!). In reality most of these difficulties can be overcome, but not without some additional paperwork and process, and balancing risk.
It is also worth bearing in mind that at this point we cannot be certain that Model Clauses are immune from a similar attack which ultimately resulted in the CJEU judgment. As such, Model Clauses should be viewed as a step forward which can be fairly easily progressed at this stage, but which may need revisiting as further guidance is issued in each EU Member State in response to the CJEU’s decision, rather than something which can be completed and then forgotten about.
Intra-group exports (e.g. between any European subsidiary and US parent) of CRM, employee and vendor data will need to be governed by intra-group data processing agreements that append the relevant Model Clauses. If a company has a number of European subsidiaries or branch offices, this may require a more complex web of Model Clauses, which can be cumbersome to put in place.
If businesses are required to enter into the controller-to-processor Model Clauses with their customers, they contain (amongst other things) some fairly onerous subcontracting provisions and wide audit rights, such that the Model Clauses will need to be flowed down to any third party non-EEA vendors that businesses engage with to process EEA personal data.
This means businesses will need to review what existing contracts they have in place with vendors and, where necessary, update such agreements to include terms equivalent to the Model Clauses. If vendors resist, the options are: accept a liability gap; or consider shifting to another vendor who will be prepared to accept the model clauses (as many will now have to do). It’s useful to note that some vendors, such as AWS and Microsoft, have solutions and related vendor contracts reflecting data processing arrangements which have already obtained the working party’s approval. Switching to these vendors’ EU data protection compliant offerings may offer an easier route forward in some cases.
2. Inform data subjects and get their consent
The EU Data Protection Directive provides for certain “derogations” which would allow for EU – US data transfers. One of these derogations is that the individual has given their unambiguous consent to the transfer. Although this derogation is not useful in B2B transactions, if you are an e-commerce business selling to European consumers, you might seek to rely on the consent derogation. However, this approach requires considerable caution. The bar for valid consent in Europe is relatively high – it needs to be a “freely given, specific and informed indication of [the data subject’s] wishes”.
Consequently, exporting controllers need to be able to produce clear evidence of the data subject’s consent in any particular case and may be required to demonstrate that the data subject was informed as required (i.e. by spelling out the lesser protection that may apply to their data). Similarly, valid consent means that the data subject must have a real opportunity to withhold their consent without suffering any penalty, or to withdraw it subsequently if they change their mind. This can be particularly relevant where employee consent is being sought. Also, some data protection authorities do not view consent as appropriate in the case of employee personal data or for bulk transfers of personal data to the US.
For these reasons, consent is unlikely to provide an adequate long-term framework for data controllers in cases of repeated or structural transfers of data to a third country.
3. Update policies
In addition to putting in place transfer solutions, businesses will need to amend their existing external and internal policies (such as privacy policies, employee policies and whistleblowing policies) to ensure that all references to Safe Harbor as a compliance mechanism are removed. Existing policies should also be reviewed to ensure that they contain full and adequate disclosures, particularly for businesses looking to rely on the consent derogation about what, how and why personal data will be collected, used and shared. External-facing policies will need to be re-posted and possibly even notified to affected data subjects.
4. Consider anonymisation
There will only be a transfer caught by the EU Data Protection Directive to the extent it involves “personal data” (i.e. data that directly or indirectly identifies a living individual). Companies should consider whether the data they are transferring needs to be in an identifiable format. Whilst the bar for truly anonymising data under European requirements is high, to the extent data can be totally anonymised, this is a tool that could be useful to companies.
5. Keep the position under review: further guidance is expected
We are expecting further guidance to be issued by local data protection authorities (see below for a summary of some of the guidance issued so far) as well as developments in the negotiations of Safe Harbor 2.0 and of course the new European General Data Protection Regulation. Therefore, arrangements for data transfers should be kept under review and flexed to address new developments in due course.
Guidance from local data protection authorities
Since the Article 29 working party statement was issued, several DPAs have issued guidance and we anticipate that further guidance will follow.
A position paper from the German DPAs (the so-called Duesseldorfer Kreis) on 21 October 2015 seems to be stricter in some areas than the ECJ judgment and also suggests that they were not able to find a common position, which together increases legal uncertainty for transfers from Germany.
As well as prohibiting Safe Harbor-based data transfers, the German DPAs have declared that they would currently not grant any approvals for data transfers to the US based on either BCRs or individual data transfer agreements. The common position of the Duesseldorfer Kreis is rather vague on the permissibility of data transfers based on EU Model Clauses and only expresses that in assessing Model Clause transfers, the DPAs will take into account the criteria established by the CJEU in its Safe Harbor decision.
The Hamburg DPA announced that it would not object to the use of EU Model Clauses until the evaluation of the judgment’s impact on other data transfer instruments has been finalized. In contrast to this, the DPA of Schleswig-Holstein, which is known for a very strict interpretation of the laws, in its position paper dated 16 October concluded that “in consistent application of the requirements explicated by the CJEU in its judgment, a data transfer on the basis of Standard Contractual Clauses to the US is no longer permitted” and that “private bodies, which use Standard Contractual Clauses to transfer personal data to the US, now need to consider terminating the underlying standard contract with the data importer in the United States or suspending data transfers”.
The Deputy Commissioner and Director of Data Protection at the Information Commissioner’s Office (the ICO) in the UK has blogged on the judgment confirming that existing decisions on the adequacy of particular countries and on EU Model Clauses can still be relied on. He also confirmed that the ICO will not be rushing to use its enforcement powers, indicating that companies will have some breathing space to assess their position particularly whilst discussions to find appropriate political, legal and technical solutions, including a new Safe Harbor framework, continue.