logo text

Thursday 28 January 2016

The latest on Schrems, the US Safe Harbor Scheme and the General Data Protection Regulation (GDPR)

Update on 28th January 2016 to Article below

 It has been reported that an amendment to the US Judicial Redress Act was passed today by the Senate Judiciary Committee. The Act passed after an amendment was approved allowing EU citizens’ to sue on EU Member States: 
  • allowing organisations to transfer personal data to the U.S. for commercial purposes; and 
  • having personal data transfer policies which do not materially impede the national security interests of the U.S. 
The European Commission has already rejected the first condition and we're waiting to hear their response to the second. It is thought that although an amendment has been passed, it may not therefore be all that was hoped for. This may further disrupt the already turbulent US-EU negotiations over finding a new personal data transfer solution.

The latest on Schrems, the US Safe Harbor Scheme and the General Data Protection Regulation (GDPR)

This article was first published on Lexis®PSL IT & IP on 27 September 2016. Click for a free trial of Lexis®PSL.

IP & IT analysis: Data Protection Day aims to raise awareness as to how data is used and explores the latest developments in data protection regulation. As part of our Data Protection Day series, Stephanie Pritchett, a specialist data protection lawyer and principal at Pritchetts Law, considers the impact of the recent Schrems ruling on the US Safe Harbor scheme and likely developments in relation to this under the proposed new General Data Protection Regulation (GDPR).

What is the background to the invalidation of the Safe Harbor framework?


C-362/14: Schrems v Data Protection Commissioner [2015] All ER (D) 34 (Oct)

On 6 October 2015, the Court of Justice of the European Union (the CJEU) delivered its landmark
judgment in the case of C-362/14: Schrems v Data Protection Commissioner [2015] All ER (D) 34 (Oct).

Opinion of AG Bot: C-362/14: Schrems v Data Protection Commissioner 
Although the judgment was not altogether unexpected given the earlier Opinion of the Advocate General on 23 September 2015, it still sent shockwaves through many industry sector bodies and organisations who carry out international data transfers to the USA—either directly themselves or via the use of third party service providers.

The CJEU found in its judgment that it alone had the power to examine the validity of a European Commission (EC) finding of adequacy in relation to ‘safe’ or ‘permitted’ international data transfers. In this case, it decided that Decision 2000/520/EC on the adequacy of the protection afforded by the US Safe Harbor scheme (Safe Harbor) was invalid. This has meant that the Safe Harbor scheme, used by more than 5,000 US companies, can no longer be relied on as a lawful compliance mechanism, permitting personal data about European data subjects to be transferred to the US.

For those not familiar with the background to this case, in brief terms:

  • The US Safe Harbor scheme was challenged by a Facebook user, Maximilian Schrems, following the Edward Snowden revelations about interception of communications by US intelligence agencies
  • It was alleged that the NSA had accessed data about Europeans and other foreign citizens stored by Facebook via a surveillance scheme called PRISM 
  • Schrems argued that US law and practice didn’t therefore offer sufficient protection against surveillance by public authorities of personal data transferred to the US and asked the Irish Data Protection Commissioner to investigate what information Facebook might be disclosing 
  • The Irish Data Protection Commissioner rejected Schrems’ complaint and request on the basis of the EC Safe Harbor Decision.

Schrems contested the decision and the matter was referred to the CJEU.  The CJEU made its judgment in this case on the basis that:

  • The Safe Harbor scheme applied to US undertakings which are Safe Harbor registered, not to US public authorities
  • US national security, public interest and law enforcement requirements take precedence over the Safe Harbor scheme and when a conflict arises, US undertakings must disapply the Safe Harbor rules
  • US public law enforcement authorities that obtain personal data from organisations in the Safe Harbor scheme are not obliged to follow the Safe Harbor rules after disclosure 
  • US law also allows storage, on a general basis, of all personal data relating to individuals whose data is transferred from the EU to the US irrespective of the reasons why and without any consideration as to when this data can be accessed and used by US public authorities 
  • The Safe Harbor rules don’t provide adequate rights for individuals to access their data or to require it to be rectified or erased where appropriate.
Data Protection Directive 95/46/EC

The CJEU also found in its judgment that national data protection authorities ("DPAs") must make their own finding of adequacy. It said they have the power to examine whether international data transfers comply with the Data Protection Directive 95/46/EC ("Data Protection Directive") and to suspend the transfers if they are not in compliance. This power exists even where the European Commission has made a previous finding of adequacy provided by a non-EU country (i.e. in relation to the US Safe Harbor Scheme), as DPAs have independent powers granted under the Data Protection Directive.
National DPAs may therefore decide to prohibit or suspend international data transfers made under the US Safe Harbor Scheme if their investigation into the transfer finds that the transfer does not provide adequate protection. In relation to the Schrems/Facebook case, the Irish DPA must now carry out a thorough investigation, exercising all due diligence, to decide whether the transfer of data to the US in relation to European users of Facebook should be prohibited on the basis that the Safe Harbor scheme no longer creates a permitted compliance mechanism. On 22 December 2015, Max Schrems tweeted a copy of his most recent letter from the Irish Data Protection Commissioner, basically stating that their investigation is extensive and ongoing.
While the case may have begun with Facebook, the CJEU decision extends to all transfers of personal data to the US by all organisations relying on the Safe Harbor compliance mechanism. These may, for example, include data transfers to Safe Harbor registered head offices in the US or for particular service provision by US Safe Harbor registered companies—either where a data controller contracts directly with those US organisations or it engages EEA based contractors who in turn sub-contract data processing services to US companies. This may, for instance, include transfers for data back-ups, CRM, accounting, payroll and personnel record hosting or services, data analytics, IT services, surveys carried out etc.
The Schrems case has therefore had wide-reaching implications for all organisations which transfer information from Europe to the US. In essence, the many thousands of organisations carrying out international data transfers to the US themselves (or using their third party service providers (data processors) to do so on their behalf):
  • Should no longer transfer personal data to us organisations solely on the basis that they are Safe Harbor registered
  • May currently face a huge additional compliance burden, potentially having to liaise with numerous European data protection authorities rather than relying on the Safe Harbor scheme, and 
  • Will have to carry out more costly privacy impact assessments and put more paperwork and legal contracts in place to justify their us data transfers.

What has been the approach of, for example, the Information Commissioner’s Office (ICO), the Article 29 Working Party and other European data protection authorities? 

National DPAs response

Following the decision, many European DPAs including the UK Information Commissioner’s Office, the Spanish DPA and Germany’s northern Schleswig-Holstein state state published statements on the judgment. In basic terms, most of those statements suggested that the regulators would consult with other EU data protection authorities before issuing robust guidance for organisations on what to do next. Some DPAs made statements taking a more conservative and stringent approach, and in the case of Schleswig-Holstein, producing a paper in which they questioned whether compliant data export to the USA could even be based on EU model clauses or consent.
Some other data protection authorities like the Israeli Law, Information and Technology Authority (ILITA) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) also issued statements in which they revoked prior authorisation of data transfers on the basis of Safe Harbor.
While there remain other potential legal pathways to allow compliant personal data transfers to the US to take place, many of these compliance mechanisms require further work, analysis, justification and paperwork before they can be relied on. The CJEU decision created no ‘transition period’ to do so, with the result that many organisations became technically in breach of the legislation overnight.

Article 29 Working Party Guidance

The European Union Article 29 Working Party group of EU national DPAs arranged to meet on 16 October 2015 to discuss the consequences of the CJEU’s ruling. Their subsequent statement:
  • Urged EU Member States and institutions to come together with the US authorities to work on appropriate political, legal and technical solutions to enable legally compliant data transfers to the US that also protect the fundamental rights of EU citizens
  • Indicated that further analysis of the CJEU’s decision would be undertaken to look at its impact on other means of transferring data used by some companies—such as the European Standard Contractual Clauses (SCC) and the Binding Corporate Rules. The WP29 group did, however, indicate that, for the time being, other alternative EU approved compliance transfer mechanisms can continue to be put in place to ensure compliance 
  • Warned that National DPAs can use their relevant powers to investigate and take punitive steps to protect individuals in the event of a complaint and that they could even come together the co-ordinate enforcement action if compliance solutions are not agreed with the US authorities by the end of January 2016
So, organisations were effectively given a three-month grace period to consider their business processes and to adopt relevant legal and technical solutions when transferring personal data to the US in order to remain compliant. Likewise, the politicians were given a three-month deadline for talks.

European Commission guidance

The EC issued their guidance communication on 6 November 2015. This set out the EC’s recommendations for organisations transferring personal data to the US during this three-month grace period. Notably, the EC confirmed that use of the SCC continued to permit valid transfer and that its EC adequacy decisions are ‘living documents’, not set in stone. The EC had previously been criticised in the Schrems judgment for its prior approaches to the Safe Harbor issue. This has led to the EC reinvigorating negotiations with the US Government in relation to safe transfer routes generally, and more particularly in relation to the particular issues raised in the Schrems case. This was to include discussions about creating limitations and safeguards in relation to access by US public authorities. The EU Justice Minister Věra Jourová said she hoped those negotiations would be completed within the three-month period.
Back in the UK, guidance from the ICO produced over the last few months continues to urge organisations ‘not to panic’ but encourages them to consider alternative compliance options to Safe Harbor and to start putting these solutions in place.

Commissioner remarks on Safe Harbor

While ongoing reports and EC press releases continue to suggest that a political solution may be on its way, unfortunately it is not here yet. Press reports over the last month have revealed that the EC believes there has been no significant breakthrough in the talks and that the 31 January deadline is unrealistic. This has perhaps not been helped by press articles such as one in the Washington Post, headlined ‘Time to get serious about Europe’s sabotage of US terror intelligence programs’.
The Wall Street Journal published an article on 21 January 2016, discussing the concessions that have been made, on either side of the pond, while going through the negotiations. Unfortunately it appears that the politicians are still at a stalemate situation despite the concessions made so far.
It is understood that the EU’s Article 29 Working Group are due to meet again on 2 February 2016 to discuss what happens next. It is likely that EU negotiators will try and persuade them to extend the 31 January deadline and it is possible that they may agree to this.
Giovanni Buttarelli, the European Data Protection Supervisor, has said:
So this period of grace was not a diktat for negotiators but, rather, linked to the need to monitor the type of work to be done [by the negotiators] and our commitment to move together.’ 
Unfortunately a number of the national regulators are, however, still officially poised to commence imposing sanctions on organisations without an adequate transfer solution in place if the deadline passes without a deal being reached. Many organisations relying on the Safe Harbor scheme will be increasingly concerned about these uncertain reports.

What has been the approach of the US Department of Commerce and the Federal Trade Commission (FTC)?

Although there have been ongoing negotiations for several years trying, but failing, to agree on a better solution than the US Safe Harbor Scheme, it is widely hoped that the EU and US politicians will agree a new compliant transfer agreement or system, even if it is not by the 31 January 2016 deadline.

There seem to have been some moves in the right direction. In response to the Schrems ruling, the US House of Representatives approved a decision on 20 October 2015 to pass the Judicial Redress Act (H.R. 1428) to give EU citizens the same rights of redress in the US courts, as are given to US citizens where it is found that US federal agencies misuse information on privacy grounds. This had been one of the main issues highlighted by the CJEU in the Schrems case and has been a key issue in the ongoing political negotiations over the Safe Harbor scheme. Unfortunately the US Senate Judiciary Committee must still vote to pass the Act. The Committee was scheduled to meet on 21 January 2016 to do so but press reports have confirmed that the vote has been delayed, seemingly in relation to ongoing negotiations over the fifth paragraph detailing litigation pertaining to the Judicial Redress Act but reports also show that a myriad of issues are likely to sit behind that decision. Press reports the previous week had also suggested that the legislation does not yet have enough support to pass it and that it could take many more months to do so. This is likely to significantly impact the ongoing EU-US political negotiations and the timescales involved.

Statement from FTC Chairwoman Edith Ramirez 

Meanwhile, taking a step back from recent days, in a Statement by Edith Ramirez, Chairwoman of the US FTC, in October 2015, the FTC made clear that they are reviewing the CJEU decision and evaluating its implications. They said they:
…share the commitment of our EU counterparts to protect consumers’ personal information and privacy. The FTC has worked closely with the Department of Commerce and our European partners on enforcing and improving the Safe Harbor Framework, and FTC enforcement actions have helped safeguard the privacy of many European consumers. We will continue to work together with our European colleagues to develop effective solutions that protect consumer privacy with respect to cross-border data transfers.’In a further Statement in November 2015, the FTC stated that:
US and EU officials are currently discussing the development of an enhanced mechanism that protects privacy and provides an alternative method for transatlantic data transfers. In the meantime, we continue to expect companies to comply with their ongoing obligations with respect to data previously transferred under the Safe Harbor Framework. We also encourage companies to continue to follow robust privacy principles, such as those underlying the Safe Harbor Framework, and to review their privacy policies to ensure they describe their privacy practices accurately, including with regard to international data transfers.

US Department of Commerce: Safe Harbor

The US Department of Commerce has also made clear its position in an advisory note on the Safe Harbor website that:
In the current rapidly changing environment, the Department of Commerce will continue to administer the Safe Harbor program, including processing submissions for self-certification to the Safe Harbor Framework.’It is perhaps surprising that they may continue to process such applications when these transfers are currently unlawful under EU law. They do, however, go on to say in that advisory: ‘…if you have questions, please contact the European Commission, the appropriate European national data protection authority, or legal counsel’.

How have businesses reacted to the development?

Without a doubt, the Schrems ruling sent shockwaves throughout most UK (and global) industry sectors. There are few organisations not doing business in some way with a US organisation, particularly given the increasingly global nature of business and the widespread use of global cloud computing solutions.

While there was a great deal of immediate scaremongering in the media and in the legal press about the ramifications of the Schrems decision, the ICO has consistently maintained the mantra of ‘keep calm’.

Once reporting on the matter settled down and the relevant European executive and regulatory bodies produced their statements and interim guidance on the issue, many organisations have started to mark this issue on their corporate risk register and to carry out assessments as to the practical steps needed and to take account of the increased legal risks.

Ultimately, doing nothing and waiting for a political solution is not really an option for businesses.

Even if the politicians do agree a final agreed solution by the end of January 2016, which seems extremely unlikely, as discussed above, there will inevitably be a lengthy period of transition. Any new ‘Safe Harbor’ type arrangement that is agreed will probably need significant time to fully implement and it is likely that existing Safe Harbor-registered companies will have to go through a new or re-certification process. This will most likely require much more stringent conditions to be met than before and external checks, with the result that some of those companies currently self-certified may not immediately meet the new grounds for certification. Of course, any new agreement may well not meet with the full approval of the Article 29 Working Party or all of the EU DPAs, as the US are unlikely to roll back all of its powers in relation to national security. Some of the EU DPAs who have made clear their more strict approach to US transfers may still call into question any new US transfer scheme that is introduced, even if it is a marked improvement.

It therefore seems likely that many EU organisations might continue to fall back on the SCC as a more reliable compliant transfer route and less susceptible to political wrangling and changes. Anecdotally, most of the author’s clients have taken this approach. Some well-known data processing companies such as MailChimp, used by many organisations to send their weekly marketing newsletters, were proactive and reasonably quick to provide a compliant solution for their customers by introducing use of the SCC (see MailChimp’s press release here). Other organisations are taking a ‘wait and see approach’ which leaves their customer with no choice but to be in breach of the legislation or terminate the service. One US provider that I approached today responded to my request for information stating:

Thank you for contacting us about the European Court of Justice’s recent decision regarding the US-EU Safe Harbor program. As you know, the ECJ’s decision has the potential to affect several thousand companies that participate in the Safe Harbor program, including ours. At this time, we currently do not have a separate/additional data processing agreement. We are awaiting more concrete guidance from the ongoing negotiations between the EC and the US before making any changes. In the meantime, we’d like to reassure you that we’re continuing to provide the same high level of data privacy and data security.’

Does this get us off the hook as data controllers? Unfortunately not. We are in breach of the data protection legislation if we continue the service provision. We are potentially subject to £500,000 fines in the UK as of 1 February 2016, when the three-month grace period comes to an end. To ensure we’re not also accused of scaremongering reports, I should say that my personal view is that it is unlikely that the ICO will take anything other than a ‘light touch’ approach to enforcement at this time and will most likely await further clarification at the EU level before imposing greater sanctions.

In anticipation of likely increased enforcement in this area in the near future, some of our clients have also gone for a more nuclear option—deciding to move entire business streams and supply arrangements back to UK/EEA data centres and providers. They simply want to avoid future concerns about prohibitions on such international data transfers. Where some of those clients are traditional data processor organisations, they are also now starting to ‘sell’ this compliant option to their customers. They are making it easy for data controllers to buy their services. Seems like a sensible plan.

Reportedly, some of the larger providers like Microsoft, Amazon and other US cloud service providers are also setting up new UK and EEA data centres to help allay some of the concerns of their European corporate customers. While this may help provide a solution in the shorter term, organisations will have to carefully check what new terms and conditions they agree to in relation to these supply services. It is often the case, particularly with the much larger technology suppliers, that you will be faced with ‘take it or leave it’ terms that can be changed ‘at any time and at the supplier’s discretion’. This often means that initial due diligence, providing assurances on this matter, could quickly become outdated, as suppliers change both their own terms and also negotiate new terms with their onward sub-contractors, potentially back outside the EEA again. Businesses must therefore keep their supplier arrangements under consistent and regular review.

There are, of course, a number of other potential compliant personal data transfer mechanisms or ‘solutions’ to permit transfer to the US, but most have serious pros and cons. For example:

Some UK organisations have considered whether obtaining informed and unambiguous consent from their customers and end users might be a realistic solution—while this sounds simple enough, in reality it is very unlikely to provide a robust or realistic compliant transfer mechanism in the majority of relatively complicated and involved data transfer and outsourcing situations.

In the UK, under the current data protection legislation, some organisations might also choose to carry out their own rigorous assessments to self-certify a compliant international transfer—again, this is not as easy as it may sound and is not an option for multinationals who don’t have that option under the existing law in other EU countries (for instance, in Ireland self-certification is not a possibility, which would preclude a multi- national with interests in Ireland from taking this approach across the board).  This self-certification will also no longer be possible under the proposed new GDPR, so it is not a long term solution.

An extensive analysis of the pros and cons of the various alternative compliance mechanisms to Safe Harbor is beyond the scope of this article. Organisations are therefore strongly encouraged to carry out their own comprehensive analysis of the risks and options, taking legal advice as necessary.  Please contact Pritchetts if we can be of any assistance to you in carrying out this analysis or helping you put alternative compliance mechanisms in place.

Have any of the rules in the GDPR taken into account the Schrems ruling?

On 17 December 2015, EU negotiators finally reached agreement on the new EU GDPR. Negotiations on the EU data reform package have been ongoing since 2011 and while the final texts are not yet available, we do now have the final compromise texts for both the GDPR and the draft Data Protection Directive relating to the police and criminal justice sectors covering data transfers between law enforcement agencies across Europe.
Once the texts are translated into all the EU languages and ratified by the Council of the European Union and the European Parliament (anticipated in Quarter 1 2016), they will be published in the Official Journal of the European Union. Each of the 28 EU Member States must then amend their national laws within two years and 20 days after that publication. The new law will therefore become enforceable from early 2018.
The GDPR contains a number of new protections for EU data subjects and obligations for the data controllers and processors who process their information. Sanctions for non-compliance will become much more stringent generally, including increased fines of up to 4% of global annual turnover or €20m—including for non-compliant international data transfer.
In brief terms, the GDPR will continue to allow personal data transfers outside the EEA where the EC has made a decision that an ‘adequate’ level of personal data protection exists. For example, where transfers are made:
  • To an EC designated ‘safe country’ who has adequate legislation and controls in place
  • Using the SCC—now without the need to gain prior approval from numerous national DPAs—although this wasn’t required in the UK, it was in some other Member States 
  • After putting Binding Corporate Rules in place, or 
  • Under certain other agreed derogations—these mostly mirror the existing derogations under the current EU Data Protection Directive but notably, they also add a derogation possibility where:
    • none of the other international data transfer mechanisms apply, and
    • a transfer needs to be made for the ‘compelling legitimate interests’ of the data controller.
While this new/enhanced mechanism sounds like a huge softening of the current rules, the obvious flexibility this may add for data controllers is also balanced with stringent requirements for internal supporting documentation and evidence to support the fact that the transfer is: ‘not repetitive, concerns only a limited number of data subjects, is necessary for the purposes of compelling legitimate interests pursued by the controller which are not overridden by the interests or rights and freedoms of the data subject, where the controller has assessed all the circumstances surrounding the data transfer and based on this assessment adduced suitable safeguards with respect to the protection of personal data.’ 
This is, of course, as hugely subjective as the ‘legitimate interests’ fair processing ground under Schedule 2 of the Data Protection Act 1998. It is, therefore, clear that EU and UK regulatory guidance will be needed to help data controllers to make responsible decisions about transfers being made in these circumstances. In reality, it is possible that in the UK, the ICO may take the approach that this derogation is akin to the existing ability to carry out a self-adequacy assessment in relation to non-EEA personal data transfers (as discussed above in this article).

There are also new compliance mechanisms introduced under the GDPR to enable international data transfer based on, for example:
  • Approved codes of conduct or certifications being put in place by the relevant data processors or data controllers alongside certain binding commitments by them. Codes of conduct may, for instance, be prepared by trade associations or industry bodies representing certain data controllers and processors (including those outside the EEA) and be submitted to national DPAs for approval;
  • Data protection certification programmes (like the ICO’s current privacy seals project) may also be developed to demonstrate that accredited controllers or processors (again including those outside the EEA) meet certain agreed standards;
  • On the basis of ad hoc contractual clauses with prior approval of a national DPA
There are, however, also some more stringent conditions that will have to be complied with under the GDPR, including:
  • More onerous obligations around provision of adequate fair processing information to data subjects, including more detailed information about the transfers to be made and why
  • A much needed tightening up of rules around onward transfer of information and also around personal data to be transferred out of the EEA in response to legal requirements from a country outside the EEA
This brings us neatly back once again to the Schrems ruling and its impact on the proposed new GDPR. This landmark case highlighted, among other matters, a requirement for the EC to only make adequacy decisions based on ‘essential equivalence’ and, as discussed above in this article, a need for EU individuals to have the same rights of redress as are given to citizens in the third country, where their rights have been breached.

These themes have been picked up in recital 81 of the GDPR which, among other issues, clarifies that an EC adequacy decision under the GDPR should only be made where:

‘…the third country…offer[s] guarantees that ensure an adequate level of protection essentially equivalent to that guaranteed within the [European] Union... In particular, the third country should ensure effective independent data protection supervision and should provide for cooperation mechanisms with the European data protection authorities, and the data subjects should be provided with effective and enforceable rights and effective administrative and judicial redress’. It is clear that even the GDPR can’t ignore the impact of the Schrems case. Let’s just hope ongoing political wranglings over Safe Harbor and the Judicial Redress Act don’t lead to any re-opening of discussions about the text of the draft GDPR, just when we thought we might have some certainty on that.

Stephanie is the principal of the specialist data protection and privacy law firm Pritchetts Law.

Interviewed by Alex Heshmaty.