3 months grace period to put US data transfer compliance measures in place post Schrems

How are the Article 29 Working Party and the EU member states reacting to the recent ECJ ruling on Safe Harbor?

Initial Comment and Guidance

Following the ECJ judgment on Schrems on 6^th October 2015, various regulators issued statements and guidance within a short space of time. For example: the EU Article 29 Working Party, the UK Information Commissioner’s Office and the Spanish DPA published statements (see links provided) on the judgment.  In basic terms each of those statements said they would consult with other EU data protection authorities to issue more detailed guidance for organisations on what to do next.  The European Commission also said that it will issue "clear guidance" in the coming weeks to prevent member states' data authorities issuing conflicting rulings.

German Schleswig-Holstein Guidance

On 14^th October 2015, Germany’s northern Schleswig-Holstein state issued its own guidance following the ECJ decision.  There are 16 federal states in Germany and each one directly oversees data protection matters.  Their approach can differ and Schleswig-Holstein is known to take a very conservative and stringent approach.  Perhaps unsurprisingly then, they produced a very strict paper, in which they questioned whether compliant data export to the USA could even be based on EU Model Clauses and further queried whether consent would be valid.

The Schleswig-Holstein authority draws on Article 5 (b) which outlines that an importer has to warrant “that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract.” The authority believes an importer in the US is no longer in the position to give such a warranty.

Also, the controllers transferring data to a US processor should “take into consideration terminating the data transfer agreement or suspending the data transfers.” Schleswig-Holstein states: “In consequential application of ECJ’s decision a data transfer based on model clauses is no longer admissible”.

This strict interpretation of the recent ruling – if adopted – would certainly call into question the operations of many multi-national companies where transferring data to the US.  Internal compliance management and monitoring within companies of all sizes, but most especially within the big multi-nationals, is set to become a hot topic. 

Ultimately though, as this particular German authority is the only one likely to publish such a formal response, all eyes are turning to the response and guidance from the Article 29 Working Party group.

So what is the WP29 view?

The European Article 29 Working Party group met on 16^th October 2015 to discuss the consequences of the ECJ’s ruling.  

Their subsequent statement has urged EU Member States and institutions to come together with the US authorities to work on appropriate political, legal and technical solutions to enable legally compliant data transfers to the US that also protect the fundamental rights of EU citizens.

It has also indicated that further analysis of the ECJ decision will be undertaken to look at its impact on other means of transferring data used by some companies - such as the European Standard Contractual Clauses and the Binding Corporate Rules. 

The WP29 group has indicated that, for now, other alternative EU approved compliance transfer mechanisms can continue to be put in place to ensure compliance, but it has warned that:  

• National data protection authorities can use their relevant powers to investigate and take punitive steps to protect individuals in the event of a complaint; 
• These national DPA’s could even come together the co-ordinate enforcement action if compliance solutions are not agreed with the US authorities by the end of January 2016.

So given that the EU-US Safe Harbor Scheme has been invalidated as a compliant transfer mechanism thanks to the Shrems case, organisations have effectively been given 3 months grace to consider their business processes and to adopt relevant legal and technical solutions when transferring personal data to the US in order to remain compliant.  

If you require any further information or advice on how to stay compliant when transferring data to the US, on implementing the European standard contractual clauses to ensure compliance, or indeed with any other data protection or privacy matter then please do not hesitate to contact Pritchetts.

US Safe Harbor Scheme no longer “Safe” for International Data Transfer

On 6^th October 2015, the Court of Justice of the European Union (the “CJEU”) delivered its judgment in the case of Maximillian Schrems v. Data Protection Commissioner (Case C-362/14) - see here for the full CJEU press release. 

The judgment was not altogether unexpected given the earlier Opinion of the Advocate General on 23 September 2015 but has still sent shockwaves through many industry sector bodies and organisations who already carry out international data transfers to the USA themselves or by using third party service providers to do so on their behalf.  

Safe Harbor no longer Safe

The CJEU found in its judgment that: 

i.          The US Safe Harbor Scheme is Invalid

The CJEU made it clear that it alone has the power to examine the validity of a European Commission finding of adequacy in relation to “safe” or “permitted” international data transfers and in this case has decided that Decision 2000/520/EC on the adequacy of the protection afforded by the US Safe Harbor scheme (“EC Safe Harbour Decision”) is invalid. 

This means that the Safe Harbor scheme used by more than 5,000 US companies can no longer be relied on as a lawful compliance mechanism permitting personal data about European data subjects to be transferred to the USA.

For those not familiar with the background to this case, in brief terms:

• The US Safe Harbor scheme was challenged by a Facebook user, Maximilian Schrems, following the Edward Snowden revelations about interception of communications by US intelligence agencies. 

• It was alleged that the NSA had accessed data about Europeans and other foreign citizens stored by the US tech giants via a surveillance scheme called Prism.  

• Schrems argued that US law and practice didn’t therefore offer sufficient protection against surveillance by public authorities of personal data transferred to the US and asked the Irish Data Protection Commissioner to investigate what information Facebook might be disclosing. 

• The Irish Data Protection Commissioner rejected Schrems’ complaint and request on the basis of the EC Safe Harbour Decision.  

• Schrems contested the decision and the matter was referred to the CJEU.

This CJEU judgment seems to have been made on the basis that:

(a)   The Safe Harbor scheme only applies to U.S. undertakings which are Safe Harbor registered, not to U.S. public authorities.

(b)  US national security, public interest and law enforcement requirements take precedence over the Safe Harbor scheme and when a conflict arises U.S. undertakings must disapply the Safe Harbor rules.  US Public law enforcement authorities which obtain personal data from organisations in the Safe Harbor scheme are not obliged to follow the Safe Harbor rules after disclosure

(c)   US law also allows storage on a general basis of all personal data relating to individuals whose data is transferred from the EU to the US irrespective of the reasons why and without any consideration as to when this data can be accessed and used by US public authorities.

(d)  The Safe Harbor rules don’t provide adequate rights for individuals to access their data or to require it to be rectified or erased where appropriate.

"I very much welcome the judgement of the court, which will hopefully be a milestone when it comes to online privacy," said Max Schrems on learning of the judgment.  "It clarifies that mass surveillance violates our fundamental rights." 

(ii)  National DPAs must make their own finding of Adequacy

National data protection authorities have the power to examine whether international data transfers comply with the EU Data Protection Directive (95/46/EC) (“EU Directive”) and to suspend them if they are not in compliance.  This power exists even where the European Commission have made a previous finding of adequacy provided by a non-EU country (i.e. in relation to the Safe Harbor Scheme) as DPAs have independent powers granted under the EU Directive.

National DPAs may therefore decide to prohibit or suspend international data transfers made under the US Safe Harbor Scheme if their investigation into the transfer finds that the transfer does not provide adequate protection.

So what happens next for Facebook?

In relation to the Facebook case, the Irish Data Protection Authority must now carry out a thorough investigation, exercising all due diligence, to decide whether the transfer of data to the US in relation to European users of Facebook should be prohibited on the basis that the Safe Harbor scheme no longer creates a permitted compliance mechanism.

And what about the rest of us?

While this case may seem, on the face of it, to be about taking on the mighty Facebook, in reality it is about all transfers of personal data to the US by all organisations.   \These may include: 

• Data transfers to head offices in the US or transfers sent to the US for particular service provision - either directly by organisations or via their sub-contractors; 

• transfers for data back-ups, CRM, accounting, payroll and personnel record hosting or services, data analytics, IT services, surveys carried out etc.  

The case therefore has wide-reaching implications for all organisations who transfer information from Europe to the USA. As a result, many industry sector bodies and organisations have been left reeling from the news of this case - each scrabbling to consider the full implications of the CJEU decision for them.

In essence, the many thousands of organisations carrying out international data transfers to the USA themselves (or using third party service providers (data processors) to do so on their behalf):

• Should no longer transfer personal data to US organisations solely on the basis that they are Safe Harbour registered;

• Are likely to face a huge additional compliance burden, potentially having to liaise with numerous European data protection authorities rather than relying on the Safe Harbour scheme; and 

• Will undoubtedly have to carry out more costly privacy impact assessments and put more legal paperwork in place to justify their US data transfers. 

The EU Article 29 Working Party, the UK Information Commissioner’s Office and the Spanish DPA have already published statements (see links provided) on the judgment.  In basic terms these statements say they will consult with other EU data protection authorities to issue guidance for organisations on what to do next.  The European Commission has also said that it will issue "clear guidance" in the coming weeks to prevent member states' data authorities issuing conflicting rulings.

Organisations will be keen to see this regulatory guidance published sooner rather than later as following the decision they may no longer have a compliant mechanism permitting data transfers to the USA. While there are potentially other legal pathways allowing compliant data transfers to take place, many will require further work, analysis, justification and paperwork before they can be relied on.  This will take organisations time to properly consider.  And yet the CJEU decision creates no time… there is no transition period to allow a new mechanism to be found, with the result that many organisations have become technically in breach of the legislation overnight.  

Many of us practitioners hope that the EU and US will agree a new compliant transfer agreement or system - but unfortunately this may be slow in coming as we understand that there have been ongoing negotiations for several years - trying but failing to agree on a better solution.

Watch this space!

If you require any further information or advice on how to stay compliant when transferring data to the US, on implementing the European standard contractual clauses to ensure compliance, or indeed with any other data protection or privacy matter then please do not hesitate to contact Pritchetts.

 

ECJ Weltimmo Case: More obligations for Pan European Operators

On the 1^st October 2015, the European Court of Justice made a landmark ruling that all international organisations should abide by the data protection legislation that exists in all the jurisdictions in which they operate.  

This decision centered on the outcome of the ECJ Weltimmo case, which was brought by the Hungarian data protection authority against property website Weltimmo. Weltimmo ran a property advertising service in Hungary even though it was based in Slovakia.  The Court found that cross border activity by the Slovakian company sharing information with debt collection agencies, was deemed to have breached data protection laws in Hungary, ruling that:  

• No matter what size of operation exists in each member state, companies must apply the data protection legislation of that member state to all of its activities if it has an establishment within that country.  If, for example, the organisation operates a service in the native language of a country, has offices or bank accounts in that country or has representatives registered in that country;
• Organisations are then regulated by the relevant EU countries’ national data protection authorities even if the organisation is not headquartered in the country of that Regulator.  That means those Regulators can impose fines where those exist.  In the Weltimmo case, this means they could be liable for the 10m Hungarian forint fine (£23,650) which had been issued by the Hungarian data protection authority;
• If it cannot be shown that an “establishment” exists in that EU member state, then the relevant local data protection authority in that member state would not be able to issue fines and/or enforcement action and would have to instead rely on the data protection authority or the relevant member state where the organisation was based.

In practical terms, this Case means that all organisations will need to ensure they keep abreast of the relevant legislative variations across Europe and this will of course place considerable additional administrative burdens on organisations and raise their compliance costs dramatically.  For example, the costs and potential adverse repercussions of not getting on top of your requirements if you market to a number of different organisations via your sales website or similar, could be huge.

Whilst there has been much talk of the impact of this case on the big technology companies like Facebook and Google, who process data here in Europe, it is clear that in the age of the multinational, costs for remaining compliant will dramatically increase for all sorts of organisations – especially those that are consumer-facing and those that operate in EU Member States that have a stronger appetite for enforcement. 

Previously, companies only had to adhere to the data protection legislative requirements of one county, and a lot of multinationals chose to create the nominated establishment in either the UK or Ireland where the laws and practices were more relaxed.  

If you require advice on data protection compliance and privacy matters, or to understand how any of the recent ECJ judgements might affect the operations of your organisation, please do not hesitate to reach out to Pritchetts for tailored advice.