Transatlantic data flows: yet more legal uncertainty

Written on 7 Jun 2016

The finding of the Court of Justice of the European Union (CJEU) in October 2015 that the “Safe Harbor” mechanism for legitimising data transfers to the US was invalid has had a significant impact on businesses across the world. Most businesses rely (either directly or indirectly) on being able to transfer personal data outside the EU to the US.

Efforts are being made to fill the gap left by Safe Harbor. Businesses have been working hard to put in place EU Model Clauses to legitimise EU-US data transfers and political agreement has been reached on Safe Harbor’s replacement, the EU-US Privacy Shield.

Over the last few days, three announcements have added more uncertainty to the legality of EU-US data transfers:

  • on 24 May 2016, news broke that the Irish Data Protection Commissioner (DPC) is planning to refer a case to the CJEU to determine if Facebook can continue to transfer data from Ireland to the US, this time on the basis of the EU Model Clauses;
  • (just a day earlier) the European Parliament voted on the EU-US Privacy Shield; and
  • on Monday 30 May 2016, Giovanni Buttarelli, the European Data Protection Supervisor (EDPS) published his opinion on the EU-US Privacy Shield.

We provide more detail on those announcements below, as well as giving an indication of what happens next, when it is due to happen and what practical steps to take in the meantime.

In the short term at least, these announcements do not change anything. For many businesses, the EU Model Clauses will still be the most viable (and in fact only) solution for transferring personal data to the US. However, the mid- and long-term future of both the EU Model Clauses and the EU-US Privacy Shield are uncertain. Businesses should keep a close eye on developments as and when they unfold. In order to be prepared for the worst, businesses might want to explore whether there are data processing solutions available which avoid a transfer of personal data to the US and enquire with their service providers what options they offer.

EU Model Clauses under fire?

Since the invalidation of Safe Harbor, most businesses now rely on EU Model Clauses to legitimise the transfer of data from the EU to the US.

However, the switch to EU model clauses did not resolve the underlying issues with transferring data to the US. Those issues were highlighted by the CJEU in Schrems, and include mass surveillance by US intelligence authorities.

As a result, it does not come as a complete surprise that the Irish DPC is intending to seek declaratory relief in the Irish High Court and a referral to the CJEU to determine the legal status of data transfers on the basis of the EU Model Clauses. As we reported previously, EU Model Clauses were never immune from such an attack.

Importantly, the intended referral does not mean that EU Model Clauses are now invalid. It is likely to take some time for the CJEU to pass judgment on the EU Model Clauses, and in recent weeks and months, regulators have repeatedly stated that EU Model Clauses can (and should) be used to legitimise cross-border transfers, at least until the Privacy Shield is in place.

In short, until we hear anything differently from regulators, the EU Model Clauses should continue to be used.

Privacy Shield: Next steps delayed

So what about the Privacy Shield, the new framework for transatlantic data flows which is intended to replace Safe Harbor?

On 15 April 2016, we summarised the much-anticipated opinion of the Article 29 Working Party (WP29) on the Privacy Shield. The WP29 – which is made up of representatives of the 28 EU Member State data protection authorities – concluded that while the Privacy Shield offers “major improvements” compared to the invalidated Safe Harbor, it still raises some significant concerns.

The next formal step towards adoption of the Privacy Shield is a vote by the Article 31 Committee, which is composed of representatives of the EU Member States. That vote was scheduled for the end of May. However, the Article 31 Committee has since asked for more time, postponing its vote until the end of June.

European Parliament and the EDPS agree with regulators…more needs to be done!

In the meantime, on 26 May 2016, the European Parliament passed a non-binding resolution which welcomed the progress made by the Privacy Shield, but called on the European Commission to continue its negotiations with the US to “implement fully” the recommendations expressed by the WP29. In a press release following the vote, the European Parliament highlighted a few of what it calls the Privacy Shield’s “deficiencies”, which include:

  • the US authorities’ access to data transferred under the Privacy Shield;
  • the possibility of collecting bulk data, which, in some cases, does not meet the criteria of “necessity” and “proportionality” laid down in the EU Charter of Fundamental Rights;
  • the proposed US ombudsperson, which is neither “sufficiently independent”, nor “vested with adequate powers to effectively exercise and enforce its duty” (although it is acknowledged to be a step forward); and
  • the complexity of the redress mechanism, which needs to be made more “user-friendly and effective”.

Then, on 30 May 2016, the EDPS casted further doubt on the Privacy Shield. The EDPS is an independent advisor to EU legislators. His opinion, which is summarised in this press release, concluded that “the Privacy Shield as it stands is not robust enough to withstand future legal scrutiny before the Court.” He set out specific recommendations, and urged legislators to take their time in finding an adequate, long-term solution.

An ambitious timeline?

Věra Jourová, European Commissioner for Justice, Consumers and Gender Equality is keen to have the Privacy Shield up and running before the summer break.

That would need a positive vote from the Article 31 Committee in June, which does not leave very much time to fix the Privacy Shield’s “deficiencies”. We will need to see to what extent (if at all) the WP29’s recommendations (now supported by the European Parliament and the EDPS) are included as part of the Privacy Shield before the Article 31 Committee vote. Some, particularly in relation to access to data by US authorities, are going to be difficult, if not impossible, to achieve.

What should businesses be doing now?

For the moment, neither the intended referral of the EU Model Clauses to the CJEU, nor the European Parliament’s vote on the Privacy Shield, changes anything:

  • Safe Harbor is still invalid;
  • Businesses cannot yet rely on the Privacy Shield; and
  • The last word from the regulators was to put in place EU Model Clauses.

Having said that, with so much uncertainty around how this will all pan out over the next few weeks and months, the safest solution would be to consider minimising (as far as possible) the extent to which personal data is transferred to the US. Can you move the data to servers in the EU? Can resilience and/or support be provided in the EU, instead of in the US? A number of suppliers are now offering alternatives to help businesses comply, although this may well come at a price.

In our update back in November 2015, we set out some other practical steps that businesses should take following the CJEU’s decision to invalidate Safe Harbor, which may already have been taken. Those include:

  • Informing data subjects and getting their consent;
  • Updating policies; and
  • Considering anonymisation.

There are undoubtedly more twists and turns to come in the story of transatlantic data transfers. Keep arrangements under review and remain agile to address new developments as they emerge.