Data Transfers from EU to US “unlawful”; EU Signals Enforcement Actions Possible After January, 2016
On Friday, October 16, 2015, the Article 29 Working Party (“WP29”) released a statement on the decision of the Court of Justice of the European Union (“CJEU”) in the case Schrems v Data Protection Commissioner (C-362-14), the landmark decision which invalidated the decision of the European Commission underpinning the Safe Harbour framework by which personal information was permitted to move from the EU to the United States.
Status of Model Contract Clauses and Binding Corporate Rules
The WP29 stated that it was still considering the Schrems decision and acknowledged the uncertainty that the decision had caused, emphasizing that “data protection authorities (“DPAs”) consider that it is absolutely essential to have a robust, collective and common position on the implementation of the judgment.”
During the WP29’s evaluation period, it suggests that certain similar mechanisms for rendering lawful a transfer of data from the EU to the United States remain valid. In particular, WP29 advises that during its evaluation period, "data protection authorities consider that Standard Contractual Clauses and Binding Corporate Rules can still be used". Accordingly, while certain data protection commissioners have doubted the validity of these mechanisms, it appears that the majority of commissioners will accept them as legitimate at least for a transitional period. WP29 goes on to note, however, that this will not prevent DPAs from investigating individual cases.
Transfers Considered Unlawful - Enforcement by January 1, 2016
The WP29 also unequivocally stated its view that “it is clear that transfers from the European Union to the United States can no longer be framed on the basis of the European Commission adequacy decision 2000/520/EC (the so-called “Safe Harbour decision”).” It then goes on to say that (emphasis added) “transfers that are still taking place under the Safe Harbour decision after the CJEU judgment are unlawful.”
Businesses will have a short timeline in which to bring themselves into compliance. The WP 29 has set a 3-month deadline for the EU and United States to conclude negotiations and implement a new safe harbour regime. It has warned that “[i]f by the end of January 2016, no appropriate solution is found with U.S. authorities and depending on the assessment of the transfer tools by the Working Party, EU data protection authorities are committed to take all necessary and appropriate actions, which may include coordinated enforcement actions."
Other Points in the WP29 Statement
In WP29’s view, the “the question of massive and indiscriminate surveillance is a key element of the Court’s analysis” in Schrems and warned that such surveillance is “is incompatible with the EU legal framework” and warned that the transfer of personal information to third countries “where the powers of state authorities to access information go beyond what is necessary in a democratic society will not be considered as safe destinations for transfers.”
This implies that any future adequacy decisions from DPAs will undertake a broad analysis of the third country’s domestic laws and international commitments. In this regard, there is a risk that Canada’s PIPEDA will be called into question in light of this country’s relationship (formal and otherwise) with the United States and Canada’s recent data legislation (in particular Bill C-51, introduced by the Canadian federal government and affording Canadian law enforcement officials greater access to data). It is an open question as to whether this constellation of factors could push Canada into the realm of “inadequate” safeguards insofar as the EU is concerned.
Likewise, there remains a risk that other bases for sending data from the EU to the United States will be threatened by this interpretation of Schrems. In particular, in a number of circumstances, it is unclear whether an importer of data in the United States can make the strong warranties required by the model contract clauses or the binding corporate rules, if similar guarantees were deemed inadequate under the now-invalidated Safe Harbour regime.
Businesses will want to pay close attention to the ongoing Safe Harbour negotiations between the EU and the United States, and in the interim, seriously consider rerouting data flows, evaluate the risks and benefits of model contract clauses and binding corporate rules, and re-evaluate their collection and transfer of personal information where possible.
privacy Safe Harbor