Guidance on transatlantic data transfers following the Schrems ruling
Date: Mon, 11/09/2015 - 19:23 Source: European Commission
The 1995 EU Data Protection Directive sets out rules for transferring personal data from the EU to non-EU countries. Under these rules, the Commission may decide that a non-EU country ensures an "adequate level of protection". These decisions are commonly referred to as "adequacy decisions".
On the basis of the 1995 Data Protection Directive, the European Commission, on 26 July 2000, adopted a Decision (the “Safe Harbour decision”) recognising the "Safe Harbour Privacy Principles" issued by the Department of Commerce of the United States, as providing adequate protection for the purposes of personal data transfers from the EU.
As a result, the Safe Harbour decision allowed for the transfer of personal information for commercial purposes from companies in the EU to companies in the U.S. that have signed up to the Principles.
The functioning of the Safe Harbour arrangement relied on commitments and self-certification of the companies which had signed up to it. Companies had to sign up to it by notifying the U.S. Department of Commerce while the U.S. Federal Trade Commission was responsible for the enforcement of Safe Harbour. Signing up to these arrangements is voluntary, but the rules were binding for those who signed up.
2013: NSA revelations and the 13 Recommendations
The NSA revelations in 2013 raised large questions on surveillance and personal data protection. The Safe Harbour permitted limitations to data protection ruleswhere necessary on grounds of national security. The question therefore arose whether the large-scale collection and processing of personal information under U.S. surveillance programmes was necessary and proportionate to meet the interests of national security.
Following the Snowden revelations, the Commission decided to review the Safe Harbour, and issued 13 recommendations for its improvement in November 2013:
1. Self-certified companies should publicly disclose their privacy policies.
2. Privacy policies of self-certified companies’ websites should always include a link to the Department of Commerce Safe Harbour website which lists all the ‘current’ members of the scheme.
3. Self-certified companies should publish privacy conditions of any contracts they conclude with subcontractors, e.g. cloud computing services.
4. Clearly flag on the website of the Department of Commerce all companies which are not current members of the scheme.
1. The privacy policies on companies’ websites should include a link to the alternative dispute resolution (ADR) provider.
2. ADR should be readily available and affordable.
3. The Department of Commerce should monitor more systematically ADR providers regarding the transparency and accessibility of information they provide concerning the procedure they use and the follow-up they give to complaints.
1. Following the certification or recertification of companies under Safe Harbour, a certain percentage of these companies should be subject to ex officio investigations of effective compliance of their privacy policies (going beyond control of compliance with formal requirements).
2. Whenever there has been a finding of non-compliance, following a complaint or an investigation, the company should be subject to follow-up specific investigation after 1 year.
3. In case of doubts about a company's compliance or pending complaints, the Department of Commerce should inform the competent EU data protection authority.
4. False claims of Safe Harbour adherence should continue to be investigated
Access by US authorities
1. Privacy policies of self-certified companies should include information on the extent to which US law allows public authorities to collect and process data transferred under the Safe Harbour. In particular companies should be encouraged to indicate in their privacy policies when they apply exceptions to the Principles to meet national security, public interest or law enforcement requirements.
2. It is important that the national security exception foreseen by the Safe Harbour Decision is used only to an extent that is strictly necessary or proportionate.
What did the recent Schrems case mean for the Safe Harbour?
On 6 October, the Court of Justice declared in the Schrems case that Commission’s Safe Harbour Decision was invalid. The ruling underlined the importance of the fundamental right to data protection, including where personal data is transferred to third countries. The judgment confirmed the Commission's approach since November 2013. The Safe Harbour arrangement did not provide a sufficient level of data protection as required by EU law.
In light of the ruling, the Commission's top priorities are:
• To ensure a high level of protection of personal data when transferred across the Atlantic;
• The continuation of transatlantic data flows with adequate safeguards.
• A coordinated response with national Data Protection Authorities (DPAs) to ensure the uniform application of EU law in the internal market and clear guidance for European businesses.
What can companies use instead of the Safe Harbour?
In the meantime, before the reviewed Safe Harbour is agreed, transatlantic data flows between companies can continue to flow using other mechanisms for international transfers of personal data available under EU data protection law.
These other mechanisms include:
• Standard contractual clauses with companies across the Atlantic, which specify data protection obligations and are approved by the Commission.
• Binding Corporate Rules for transfers within a multinational corporate group, and which are approved by national DPAs.
Data protection rules also include derogations under which data can be transferred on the basis of:
• Conclusion or performance of a contract [including pre-contractual situations, e.g. in order to book a flight or hotel room in the U.S., personal data may be transferred;
• Establishment, exercise or defence of legal claims;
• If there is no other ground, the free and informed consent of the individual.
What did the Data Protection Authorities (DPAs) decide following the ruling?
Article 29 Working Party –the independent advisory body that brings together representatives of all DPAs – issued, on 16 October, a statement regarding the first conclusions to be drawn from the judgment.
Among others, this statement contained the following guidance on data transfers:
- Data transfers can no longer be based on the Commission's invalidated Safe Harbour Decision;
- Standard Contractual Clauses ("SCCs") and Binding Corporate Rules ("BCRs") can in the meantime be used as a basis for data transfers ,although the Article 29 Working Party also stated that it will continue to analyse the impact of the judgment on these alternative tools;
- The statement further calls on Member States and EU Institutions to enter into discussions with the U.S. authorities to find legal and technical solutions for data transfers; the current negotiations around a new Safe Harbour could, in the view of the Article 29 Working Party, be part of this solution.
The Article 29 Working Party announced that if, by the end of January 2016, no appropriate solution is found with the U.S. authorities, and depending on the assessment of alternative tools for data transfer, the DPAs will take all necessary and appropriate action, including coordinated enforcement action.
Finally, the Article 29 Working Party stresses the shared responsibility of the DPAs, the EU Institutions, Member States and businesses to find sustainable solutions to implement the Court's judgment. In particular, the Working Party urged businesses to consider putting in place any legal and technical solutions to mitigate any possible risks they face when transferring data.
Why is the Commission issuing a Communication?
As long as the negotiations are not finalised, companies need to comply with the ruling and rely on alternative transfer tools where available. The Commission's explanatory communication analyses the consequences of the judgement and sets out the alternative mechanisms for transfers of personal data to the US. The Commission will also continue to work closely with the independent data protection authorities to ensure a uniform application of the ruling.
What happened following the Court of Justice ruling?
A new general arrangement is the best way to protect EU citizens in an age of ever increasing commercial data transfers across the Atlantic. It is important not only for transatlantic commercial relations but first and foremost for EU citizens and their data protection rights. Only a comprehensive framework with commitments and enforcement by the US authorities can ensure in practice the level of data protection Europeans deserve and are entitled to under EU data protection law.
Alternative transfers provide a short term solution; however given the volume of transfers, it is crucial that there is simple and effective framework in place.
Directly after the judgment, Commissioner Jourová was in contact with Commerce Secretary Pritzker on the way forward and negotiations at technical level continue at an intense pace.
Commissioner Jourová will travel to Washington on 13 November to continue negotiations for a renewed and safe framework on transfer of personal data. A new Safe Harbour Agreement would ensure continued transatlantic data flows that allow robust safeguards and legal certainty for businesses and citizens alike.
Where do the negotiations towards a safer Safe Harbour stand?
On the Recommendations on transparency, enforcement and redress (1 to 11), there is agreement in principle, but the Commission is still discussing how to ensure that these commitments are binding enough to fully meet the requirements of the Court.
The US has indeed delivered on these points by committing to a stronger oversight by the Department of Commerce (DoC), stronger cooperation with European DPAs and priority treatment of complaints by the Federal Trade Commission (FTC). This will transform the system from a purely self-regulating one to an oversight system that is more responsive as well as pro-active and back-up by significant enforcement, including sanctions.
European national data protection authorities will have a more active and visible role in the system than previously was the case. For instance, the interface and communication channels between DPAs and the DoC have been improved. The DPAs will also have a role to play in the review of the functioning of the system.
The Court has confirmed that an adequacy decision is a living document; it must be periodically reviewed in light of developments of the foreign system. The Commission is working on this point with the US to put into place an annual joint review mechanism that will cover all aspects of the functioning of the new framework, including the use of exemptions for law enforcement and national security grounds, and that will include the relevant authorities from both sides.
When it comes to the intervention of public authorities, in particular for reasons of law enforcement and national security, the Court underlines that such access must be subject to clear conditions and limitations. This closely reflects the Commission's recommendation made two years ago that "the national security exception foreseen by the Safe Harbour Decision is used only to an extent that is strictly necessary or proportionate". The Commission is working with the US to ensure that there are sufficient limitations and safeguards in place to prevent access or use of personal data on a "generalised basis" and to ensure that there is sufficient judicial control over such activities.