Following the recent decision by the Court of Justice of the European Union invalidating the adequacy of the EU-US Safe Harbor framework, the EU’s Article 29 working party has issued its first formal statement in response.
The working party is composed of representatives from the national data protection authorities (DPAs) of the EU Member States, the European Data Protection Supervisor and the European Commission, so its views have been awaited with interest given that the CJEU’s decision highlighted the importance of a DPA’s assessment of the adequacy of cross-border data transfers.
While the statement was not as clear in all respects as might have been hoped, the key messages were:
- The DPAs believe a robust, collective and common position on the implementation of the CJEU judgment is required.
- Transfers taking place purely on the basis of Safe Harbor are unlawful.
- A new, negotiated Safe Harbor 2.0 could be part of the solution in the future.
- In the meantime, the Article 29 working party will continue to analyse other available transfer tools. During this period, the EU model clauses (also known as Standard Contractual Clauses) and Binding Corporate Rules can still be used to legitimise cross-border transfers.
- These alternative transfer mechanisms may be subject to investigation by DPAs to protect individuals in “particular cases”, for example where a complaint is made
Interestingly, although the statement makes clear that transfers based on Safe Harbor are unlawful, it does not explicitly say that those transfers should stop immediately.
Further, the end of January 2016 is mentioned as a date by which EU member states and institutions need to find an alternative long-term solution with the US authorities (such as Safe Harbor 2.0). If that solution does not emerge by then, than, subject to the working party’s ongoing analysis, DPAs are committed to taking further action (which may include coordinated enforcement action).
This suggests that enforcement action by a DPA before 31 January 2016 is unlikely, although such action is not explicitly ruled out. In practice, it would seem that companies who have been relying on Safe Harbor have until that date to put alternative solutions (most likely EU model clauses) in place.
So whilst there is some uncertainty as regards the timeline for potential enforcement activity, companies should start considering alternative compliance tools and put things in motion until a more satisfactory cross-border compliance solution (like Safe Harbor 2.0) is finalized so that they at least they can demonstrate having considered the issue if they are investigated.
With that in mind, we have set out below a summary of some of the key consequences of the decision and the related practical steps which we suggest affected companies should be taking to address their on-going privacy compliance in the immediate wake of the decision.
1. Put in place Model Clauses
Discussions to finalize Safe Harbor 2.0 are still ongoing, and the BCRs process is too lengthy and expensive to make it a realistic option for most companies. The alternatives to European Model Clauses or BCRs are therefore pretty limited and include: accept non-compliance risk for now; ask for consent to allow data to be transferred (not a viable option for most B2B companies) or rely on one of the other so called “derogations” under the European Data Protection Directive (of which very few are likely to apply to most businesses); or move your servers to Europe.
As a result, it looks like most businesses will have no choice but to adopt and implement the Model Clauses. Unfortunately, you cannot just print and sign them. They require consideration as to which type of the three Model Clauses available is appropriate. Whereas all of a company’s data exports (whether customer, employee, CRM or vendor data) may have previously been covered under a single Safe Harbor certification, different Model Clauses may be needed depending on whether the data is being exported on a controller to controller basis (typically the case for CRM, employee and vendor data), or a controller to processor basis (typically the case for customer data). Any Model Clauses based option may there therefore need to be broken into separate model clause solutions and the roles of the parties exporting and importing the data carefully assessed.
If customer data is being exported on a controller-to-processor basis (typically the case for most cloud service providers for example), EU businesses exporting that data may require that US data importers execute Model Clauses. If you are a US company, it would therefore be sensible to proactively approach customers with a revised data processing agreement that annexes the Model Clauses, as some large providers have already done. This can be a good way to shore up trust with European customers (and in any case, in certain countries such as Germany, there is already a requirement to have a detailed data processing agreement which could be supplemented with Model Clauses).
However, there are unfortunately a number of practical challenges that are going to make it difficult for US businesses to implement a “quick fix” that works across each European country. For example: requirements for using Model Clauses vary in each Member State (some require the Model Clauses to be filed, whilst others require the prior approval of the local data protection authority before they can be used); local laws may apply in each set of Model Clauses; it can be difficult to apply Model Clauses to sub-processors and sub-sub-processors who are involved with processing activities; explaining to local data protection authorities what will happen if the NSA ask to see data (or explaining that they never have, where that’s a true statement!). In reality most of these difficulties can be overcome, but not without some additional paper work and process, and balancing risk.
It is also worth bearing in mind that at this point we cannot be certain that Model Clauses are immune from a similar attack which succeeded in the recent CJEU’s Schrems decision. As such, Model Clauses should be viewed as a step forward which can be relatively fairly easily progressed at this stage, but which may need revisiting as further guidance is issued in each Member State in response to the CJEU’s decision, rather than something which can be completed and then forgotten about.
Intra-group exports (e.g. between any European sub and US parent) of CRM, employee and vendor data will need to be governed by intra-group data processing agreements that append the relevant Model Clauses. If a company has a number of European subsidiaries or branch offices, this may require a more complex web of Model Clauses, which can be cumbersome to put in place.
If businesses are required to enter into the controller-to-processor Model Clauses with their customers, they contain (amongst other things) some fairly onerous subcontracting provisions and wide audit rights, such that the Model Clauses will need to be flowed down to any third party non-EEA vendors that businesses engage with to process EEA personal data. This means businesses will need to review what existing contracts they have in place with vendors and, where necessary, update such agreements to include terms equivalent to the Model Clauses. If vendors resist, the options are: accept a liability gap; or consider shifting to another vendor who will be prepared to accept the model clauses (as many will now have to do). It’s useful to note that some vendors, such as AWS and Microsoft, have solutions and related vendor contracts reflecting data processing arrangements which have already obtained the EU DPA’s approval. Switching to these vendors’ EU data protection compliant offerings may offer an easier route forward in some cases.
2. Inform data subjects and get their consent
The EU Data Protection Directive provides for certain “derogations” which would allow for EU – US data transfers. One of these derogations is that the individual has given their unambiguous consent to the transfer. Although this derogation is not useful in B2B transactions, if you’re an e-commerce business selling to European consumers, you might seek to rely on the consent derogation. However, this approach requires considerable caution. The bar for valid consent in Europe is relatively high – it needs to be a “freely given, specific and informed indication of [the data subject’s] wishes”.
Consequently, exporting controllers need to be able to produce clear evidence of the data subject’s consent in any particular case and may be required to demonstrate that the data subject was informed as required (i.e. by spelling out the lesser protection that may apply to their data). Similarly, valid consent means that the data subject must have a real opportunity to withhold their consent without suffering any penalty, or to withdraw it subsequently if they change their mind. This can be particularly relevant where employee consent is being sought. Also, some data protection authorities do not view consent as appropriate in the case of employee personal data or for bulk transfers of personal data to the US.
For these reasons, consent is unlikely to provide an adequate long-term framework for data controllers in cases of repeated or structural transfers of data to a third country.
3. Update policies
In addition to putting in place transfer solutions, businesses will need to amend their existing external and internal policies (privacy policies, employee policies, whistleblowing policies) to ensure that all references to Safe Harbor as a compliance mechanism are removed. Existing policies should also be reviewed to ensure that they contain full and adequate disclosures particularly for businesses looking to rely on the consent derogation about what, how and why personal data will be collected, used and shared. External facing policies will need to be re-posted and possibly even notified to affected data subjects.
4. Consider anonymisation
There will only be a transfer caught by the European Data Protection Directive to the extent it involves “personal data” (i.e. data that directly or indirectly identifies a living individual). Companies should consider whether the data they are transferring needs to be in an identifiable format. Whilst the bar for truly anonymising data under European requirements is high, to the extent data can be totally anonymised, this is a tool that could be useful to companies.
5. Keep the position under review
We are expecting further guidance to be issued by local data protection authorities as well as developments in the negotiations of Safe Harbor 2.0 and of course the new European General Data Protection Regulation. Therefore, arrangements for data transfers should be kept under review and flexed to address new developments in due course.