It has been nearly two months since the European Court of Justice declared the Safe Harbor Agreement, a pact that allowed data transfers between the EU and the US, invalid.
The landmark ruling has created considerable uncertainty for the thousands of businesses who rely on Safe Harbor as the basis for the transfer of personal data to the US. How can they continue to do so while still complying with EU data protection laws?
The solution to the problem will depend on a number of local and regional factors, as well as circumstances particular to the business concerned, since we are already seeing a number of different approaches from the relevant authorities. To take just three:
The UK ICO is advising companies to take stock of their arrangements to ensure adequate protection for personal data, which it admits is “no easy task”, and consider what alternatives they might use. Taking a pragmatic approach, it has confirmed that Safe Harbor was just one of the available legal bases for EU-US transfers of personal data and that the ECJ ruling does not affect the use of “model clauses” or the use of Binding Corporate Rules (“BCRs”).
The German Data Protection Authorities have adopted a far more restrictive approach. In a joint statement, they announced that they will order companies to cease data transfers to the US which rely on Safe Harbor. In addition, they have questioned the legality of BCRs and the model clauses. For the time being, they will not approve new BCRs so it will not be an option for German companies without existing BCRs to now implement them. A couple of Data Protection Authorities, in particular in Northern Germany, have even called on companies to suspend arrangements relying on model clauses.
Article 29 Working Party
This highly influential working party made up of representatives of data protection authorities of all 28 EU member states takes a position somewhere between the UK and German data protection authorities. The Article 29 Working Party has stated that if a solution, such as “Safe Harbor 2”, is not reached with the US Government by 31 January 2016, EU Data Protection Authorities will take all necessary and appropriate actions, which may include coordinated enforcement.
Meanwhile the European Commission has announced the stepping up of its negotiations with the US on Safe Harbor 2 and its aim to conclude these within three months. It also confirmed that alternative methods of transferring personal data outside the EU are open to challenge before the courts and that national data protection authorities must investigate complaints. Where employee data transfer is involved, the stakes are particularly high: serious data protection breaches are likely to also breach employment obligations and could trigger claims by employees, separate from any enforcement action by regulators.
Compliance with data protection laws is a key business risk and our dedicated Data Protection teams are on hand to guide businesses through these realms of uncertainty. As a global law firm with in-depth knowledge at a local level, we can help your business whatever its jurisdiction to identify and put into place the optimal proportionate solution to cover the current situation. Once the General Data Protection Regulation is in agreed form – it is expected to be finalised in the next few months and come into force two years after that - we can advise your business on what further arrangements may be needed.
Now is the time to act. Businesses that have turned a blind eye to the formalities of international data transfer or used unreliable mechanisms such as contractual consents should realise that the risk profile of non-compliance has now changed dramatically, with this issue now firmly on the enforcement agenda and on employees’ radar too. And if your business relies on Safe Harbor, you only have around two months to put alternative arrangements in place.