Safe Harbour’s successor to come
- The EU and the USA have agreed at a political level on a new agreement governing the transfer of data into the USA, in replacement of the Safe Harbour Agreement which has been declared invalid. It is called the “EU-US Privacy Shield” and will contain concessions by the USA as to the scope and monitoring of data protection. However, the Privacy Shield first still needs to be implemented at several levels.
- The Data Protection Authorities (“DPAs”) provisionally still permit data transfers to the USA on the basis of alternative mechanisms such as Binding Corporate Rules or EU Model Clauses. A conclusive decision will be reached by the European DPAs in March 2016 at the earliest, once they have been able to thoroughly examine the legal situation.
The events at the EU level over the past few days concerning data protection and data transfers to the USA have been confusing. An announcement was ultimately made, but the expected solution was not presented.
1. Succession regulation for Safe Harbour
In October 2015 the ECJ (as reported) declared invalid the Safe Harbour Agreement which had served many enterprises as a basis for data transmissions to the USA until such time. The German and other European DPAs, which had come together to form the so-called Article 29-Working Party, had subsequently announced that data transmissions made solely on the basis of the Safe Harbour Agreement would no longer be tolerated. As regards alternative instruments used by many companies (such as Binding Corporate Rules or the so-called EU Model Clauses), a decision would be reached by the end of January 2016 as to whether or not these would be further accepted. This simultaneously meant an effective deadline for the EU Commission and US Government to regulate the overall matter by adopting a new Safe Harbour Agreement.
The EU Commission announced on 2 February 2016 that it had reached agreement with the USA on a succession regulation for the Safe Harbour Agreement, which is now called the “EU-US Data Privacy Shield”. However, this only represents a political agreement, whilst the concrete text will still have to be negotiated and implemented over the coming weeks.
1.1 The basic parameters of this agreement are:
- US companies wishing to import personal data from Europe will need to commit to robust data privacy standards. This includes the commitment to comply with decisions by the European DPAs. The US Department of Commerce will monitor the commitments and make sure that they are enforceable.
- The US has given the EU its written assurances that access by public authorities for law enforcement and national security purposes will be subject to clear limitations, safeguards and oversight mechanisms. Exceptions may be made only to the extent necessary and proportionate. The EU Commission and the US Department of Commerce will conduct an annual joint review to monitor the functioning of the arrangement.
- Any citizen who considers that their data has been misused under the new arrangement will have several redress possibilities. Companies have deadlines to reply to complaints. European DPAs can refer complaints to the US Department of Commerce and the Federal Trade Commission. In addition, Alternative Dispute Resolution will be available (free of charge). For complaints on possible access by national intelligence authorities, a new ombudsperson will be created.
1.2 The further course of action regarding the new EU-US Privacy Shield is as follows:
In the coming weeks the competent EU Commissioners will prepare the draft of an “adequacy decision”, which should then be accepted by the EU Commission – inter alia after obtaining the advice of the Article 29-Working Group. In the meantime, the USA is also to make the necessary preparations to put in place the new basic framework, the legal means, the monitoring mechanisms and the new ombudsperson. Only then can American enterprises begin to implement these regulations, before data transmissions are permissible.
2. DPA's view of the legality of alternative mechanisms
In parallel to the announcement of the new EU-US Privacy Shield, the various EU DPAs met within the scope of the Article 29-Working Party to discuss their intended handling of the aforesaid alternative mechanisms of Binding Corporate Rules and EU Model Clauses. In a declaration issued on 3 February 2016 they announced the following points:
- The DPAs call on the EU Commission to communicate all documents pertaining to the new arrangement by the end of February 2016. The Article 29-Working Party will then be in a position to complete its assessment of all personal data transfers to the US at a plenary meeting to be organised over the coming weeks.
- Until the conclusion of these consultations (in March 2016 at the earliest) the DPAs will not take any action against enterprises which transmit their data to the USA or other third countries on the basis of Binding Corporate Rules or EU Model Clauses. In justification hereof the Article 29-Working Party states – as it already did beforehand – that the outcome of the examination of the alternative mechanisms depends on the extent to which the USA actually sufficiently and effectively implements its announcements to protect the data of EU citizens in the context of the new Privacy Shield agreement.
The DPAs will pursue data transmissions made solely on the basis of the old Safe Harbour Agreement.
3. Consequences for German enterprises
This has the following consequences for the data protection standards to be met by enterprises:
3.1 The new EU-US Privacy Shield cannot be used yet. It still has to be implemented in the EU and the USA. Prior hereto, the European DPAs will state whether they deem the new Privacy Shield to be adequate at all. The Article 29-Working Party has made this dependent upon the final version of the Privacy Shield. In the long term we can expect that the ECJ, as the supreme court instance, will once again have to address the issue of whether the new Privacy Shield sufficiently protects the basic rights of EU citizens.
3.2Enterprises which continue to base their data transfers to US enterprises solely on the Safe Harbour certification are violating the applicable data protection laws and must expect action by the DPAs, in particular fines.
3.3 Enterprises which have implemented intra-group regulations to observe data protection (so-called Binding Corporate Rules) or which base their data transfer to the USA on the EU Model Clauses will initially not have to reckon with action by the DPAs. However, we would still advise them to be prepared for the fact that, during later assessments, the DPAs will at least stipulate additional requirements.
In the meantime we would advise enterprises to incorporate additional regulations, at least into new EU Model Clauses being concluded, such as:
- The US recipient shall inform the EU data controller of all requests to access data made by US authorities, without undue delay, unless such notice is illegal.
- The US recipient undertakes to use and exhaust all legal means to challenge the authorities’ request for access to personal data.
- Furthermore, we advise specifications of the possibilities of the EU data controller and the EU data subject to take legal action against the – alleged – illegal processing of personal data.
- Should EU Model Clauses be agreed or updated prior to the DPA’s announcement (which could specify further requirements), the agreement should include the obligation of the US data importer to accept and implement all amendments stipulated by the EU DPAs as well as the new EU Data Protection Regulation in the future.
3.4 Nothing also initially changes for enterprises which have obtained consents to the transfer of data into the USA from the persons concerned in each case. We would like to point out, however, that the German DPAs, as a rule, do not consider consent to be a valid basis for data transfers to the US if they are used repeatedly, as a mass instrument, or on a routine basis, or if such consent is used vis-à-vis employees. Accordingly, in the opinion of the German DPAs, consent used for standard internet services may no longer be valid.