3 months grace period to put US data transfer compliance measures in place post Schrems

How are the Article 29 Working Party and the EU member states reacting to the recent ECJ ruling on Safe Harbor?

Initial Comment and Guidance

Following the ECJ judgment on Schrems on 6^th October 2015, various regulators issued statements and guidance within a short space of time. For example: the EU Article 29 Working Party, the UK Information Commissioner’s Office and the Spanish DPA published statements (see links provided) on the judgment.  In basic terms each of those statements said they would consult with other EU data protection authorities to issue more detailed guidance for organisations on what to do next.  The European Commission also said that it will issue "clear guidance" in the coming weeks to prevent member states' data authorities issuing conflicting rulings.

German Schleswig-Holstein Guidance

On 14^th October 2015, Germany’s northern Schleswig-Holstein state issued its own guidance following the ECJ decision.  There are 16 federal states in Germany and each one directly oversees data protection matters.  Their approach can differ and Schleswig-Holstein is known to take a very conservative and stringent approach.  Perhaps unsurprisingly then, they produced a very strict paper, in which they questioned whether compliant data export to the USA could even be based on EU Model Clauses and further queried whether consent would be valid.

The Schleswig-Holstein authority draws on Article 5 (b) which outlines that an importer has to warrant “that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract.” The authority believes an importer in the US is no longer in the position to give such a warranty.

Also, the controllers transferring data to a US processor should “take into consideration terminating the data transfer agreement or suspending the data transfers.” Schleswig-Holstein states: “In consequential application of ECJ’s decision a data transfer based on model clauses is no longer admissible”.

This strict interpretation of the recent ruling – if adopted – would certainly call into question the operations of many multi-national companies where transferring data to the US.  Internal compliance management and monitoring within companies of all sizes, but most especially within the big multi-nationals, is set to become a hot topic. 

Ultimately though, as this particular German authority is the only one likely to publish such a formal response, all eyes are turning to the response and guidance from the Article 29 Working Party group.

So what is the WP29 view?

The European Article 29 Working Party group met on 16^th October 2015 to discuss the consequences of the ECJ’s ruling.  

Their subsequent statement has urged EU Member States and institutions to come together with the US authorities to work on appropriate political, legal and technical solutions to enable legally compliant data transfers to the US that also protect the fundamental rights of EU citizens.

It has also indicated that further analysis of the ECJ decision will be undertaken to look at its impact on other means of transferring data used by some companies - such as the European Standard Contractual Clauses and the Binding Corporate Rules. 

The WP29 group has indicated that, for now, other alternative EU approved compliance transfer mechanisms can continue to be put in place to ensure compliance, but it has warned that:  

• National data protection authorities can use their relevant powers to investigate and take punitive steps to protect individuals in the event of a complaint; 
• These national DPA’s could even come together the co-ordinate enforcement action if compliance solutions are not agreed with the US authorities by the end of January 2016.

So given that the EU-US Safe Harbor Scheme has been invalidated as a compliant transfer mechanism thanks to the Shrems case, organisations have effectively been given 3 months grace to consider their business processes and to adopt relevant legal and technical solutions when transferring personal data to the US in order to remain compliant.  

If you require any further information or advice on how to stay compliant when transferring data to the US, on implementing the European standard contractual clauses to ensure compliance, or indeed with any other data protection or privacy matter then please do not hesitate to contact Pritchetts.