Many payment service providers and firms operating within the industry, whether directly or as a consequence of outsourcing arrangements, are likely to be affected by the recent CJEU ruling on the invalidity of the Safe Habor arrangement.
For the past 15 years the Safe Habor program has provided a mechanism for the lawful transmission of personal data to US entities that had signed up to and complied with the Safe Harbor principles agreed between the European Commission and the US government (Commission Decision 2000/520/EC).
Following the 2013 leak of the details of the mass surveillance of European individuals being undertaken by US authorities, privacy activist Maximilian Schrems complained to the Irish Data Protection Commissioner. He submitted that Facebook was not able to ensure an EU-standard level of protection when transferring data to servers in the US. Following an appeal, the complaint was referred to the CJEU for consideration.
The CJEU decision of 6 October 2015 found that:
- Safe Harbor is invalid;
- mass and indiscriminate surveillance activities by US authorities is a violation of the Data Protection Directive and the fundamental rights afforded to European citizens under the Charter of Fundamental Rights of the EU; and
- a data protection regulator must be able to exercise its independence to suspend a transfer if it finds that the protections offered to European individuals are inadequate – i.e. it is not necessarily bound by a European Commission decision of adequacy.
The decision has implications for any company transferring personal data from the EU to the US, whether itself or by virtue of using particular affiliates or suppliers.
In response to the decision, the EU’s Article 29 working party has issued a formal statement with its initial guidance. The working party is composed of representatives of the national data protection authorities of each EU Member State, the European Data Protection Supervisor and the European Commission. The European Commission has also provided remarks on the CJEU’s judgment, which are consistent with the working party statement.
Whilst the working party statement was not as clear in all respects as might have been hoped, the key messages were that:
- The national data protection authorities in the EU Member States believe a robust, collective and common position on the implementation of the CJEU judgment is required.
- Transfers taking place purely on the basis of Safe Harbor are unlawful.
- A new, negotiated Safe Harbor 2.0 (i.e. a new Safe Habor) could be part of the solution in the future.
- In the meantime, the Article 29 working party will continue to analyse other available transfer tools. During this period, the EU Model Clauses (also known as Standard Contractual Clauses) and Binding Corporate Rules can still be used to legitimise cross-border transfers.
- These alternative transfer mechanisms may be subject to investigation by local data protection authorities to protect individuals in “particular cases”, for example where a complaint is made.
The working party also mentions the end of January 2016 as a date by which EU Member States and institutions need to find an alternative long-term solution with the US authorities (such as Safe Harbor 2.0). If a solution does not emerge by that time, then, subject to the working party’s ongoing analysis, national data protection authorities are committed to taking further action (which may include coordinated enforcement action).
The UK response
The Deputy Commissioner and Director of Data Protection at the Information Commissioner’s Office (the ICO) in the UK has blogged on the judgment, confirming that existing decisions on the adequacy of particular countries and on EU Model Clauses can still be relied on. He also confirmed that the ICO will not be rushing to use its enforcement powers, indicating that companies will have some breathing space to assess their position particularly whilst discussions to find appropriate political, legal and technical solutions, including a new Safe Harbor framework, continue.
Practical steps payment service providers and firms can consider
Following the CJEU judgment and the Article 29 working party statement, companies can consider the following steps to ensure their on-going privacy compliance. We discuss each of these steps in more detail here:
- Put in place EU Model Clauses.
- Inform data subjects and get their consent.
- Update external and internal policies.
- Consider anonymisation.
It will also be important to keep the position under review as further guidance from data protection regulators is anticipated.
Payment service providers and the FCA’s involvement in data protection
From a payments perspective, authorised payment and electronic money institutions may face an additional layer of regulatory scrutiny from the FCA (noting particularly the greater powers of the FCA to penalise firms). Although not specifically part of its mandate, our experience suggests that the FCA does consider data protection to fall within its general regulatory framework and has demonstrated a willingness to investigate how payment firms store, process and transfer data outside of the EU.