…an Austrian law student attended a seminar where a Facebook representative gave a talk. The Facebook representative apparently made light of European data protection laws. Little did Facebook, or any of us, know that those comments would result in that law student bringing down the entire EU-US Safe Harbor programme…
On 6 October 2015, the Court of Justice of the European Union (CJEU) ruled that the Safe Harbor gateway, which was one of the easier ways of lawfully transferring personal data from Europe to the US, is no longer valid.
This decision has caused considerable consternation, not just in Europe, but also in the US. Any organisation that transfers personal data to the US from Europe needs to understand the ramifications of the judgment and consider how they are going to ensure adequate protection for overseas transfers going forward.
Participants in the payment services ecosystem may be particularly concerned about these developments, because many of them process transactions on a global basis and rely on distributed cross-border networks as a fundamental part of their business models.
The Austrian law student was Maximillian Schrems and he made a complaint to the Irish Data Protection Commissioner (Facebook's regulator in Europe). The crux of the complaint was that his data was not being adequately protected by Facebook in the US, due to the fact that the US National Security Agency (NSA) was accessing personal data as part of its large-scale surveillance operations. Schrems asked the Irish Data Protection Commissioner to review Facebook's data transfer arrangements to determine whether they offered adequate protection for personal data.
The Irish Data Protection Commissioner refused to do so, on the basis that the transfer of data from Europe to the US was being undertaken under the EU-US Safe Harbor regime, which had been given the green light by the European Commission.
Schrems challenged this decision in the Irish High Court, who referred a question to the CJEU to determine whether it is possible for a national regulator to audit arrangements that are being undertaken in compliance with a framework that has been deemed adequate by the European Commission.
In the wake of allegations made by Edward Snowden about systematic access to personal data by the NSA and other US intelligence agencies, the CJEU ruled that:
The Safe Harbor arrangement should have been ended following the Snowden revelations on the grounds that the personal data transferred under Safe Harbor was not secure, and therefore the Safe Harbor arrangements are invalid.
Whilst the Safe Harbor arrangements only apply to organisations in the US who adhere to it, public authorities in the US were not subject to it. Furthermore, the national security and law enforcement requirements of the US override the Safe Harbor arrangements. This allows interference, by the US, with the fundamental rights of persons under both: the Charter Of Fundamental Rights Of the European Union; and the Data Protection Directive.
Data protection regulators, such as the Irish Data Protection Commissioner, are entitled to investigate and audit organisations transferring personal data to the US, even if the transfer is undertaken under the Safe Harbor regime.
The CJEU held that the European Commission did not have the authority to restrict national data protection regulators from undertaking such investigations.
Under the current European Data Protection Directive, organisations processing personal data in Europe are generally prohibited from transferring personal data outside the EEA, unless they ensure that additional safeguards are implemented to ensure “adequate protection” of that personal data.
Under the Safe Harbor arrangements, organisations in the US can agree to comply with the Safe Harbor principles and self-certify that they are doing so. The European Commission issued a decision in 2000 which specified that transfers of personal data to the US would be deemed to provide adequate protection for personal data if the recipient was Safe Harbor-certified. Thousands of organisations have since relied on that European Commission decision, including major US operators such as Amazon, Oracle, Google and Facebook and, in the payments industry, MasterCard.
The result of the Schrems case is that the European Commission's decision has been invalidated. For any organisation that previously used the Safe Harbor to facilitate data transfers from Europe to the US, this represents a major concern. Any organisation still relying on Safe Harbor needs to put in place alternative arrangements as a matter of urgency. However, developments since the judgement was handed down have cast doubt on the efficacy of alternative arrangements as well.
One of the most difficult issues for organisations grappling with US data transfers is the different approaches taken by each national data protection regulator and the Article 29 Working Party (which is a group made up of all the EU data protection regulators). Whilst all of these bodies have indicated that the impact of the Schrems judgment has ramifications beyond the Safe Harbor regime, no consistent message has emerged about how to enforce the judgment. For example:
The Article 29 Working Party
The Working Party has issued a statement saying that it considers any data transfers made under the Safe Harbor agreement to be unlawful. It has also indicated that data protection regulators will start to take enforcement action from the end of January 2016, if no satisfactory resolution has been agreed with US authorities by that time.
The Working Party also considers the impact of the judgment on other transfer mechanisms, such as data transfer agreements based on the EU Model Contract clauses. The Model clauses are a standard form of agreement approved by the EU Commission, by which an EU data exporter can impose contractual restrictions and liabilities on a data importer.
The Working Party’s statement clearly demonstrates that it believes that the Schrems judgment calls into question all methods of transferring personal data to the US. The key concern for European data protection regulators is the mass and indiscriminate nature of surveillance by US authorities and the lack of judicial redress for European citizens, regardless of the method of transfer.
UK Information Commissioner’s Office
In the UK, the Information Commissioner's Office so far appears to be taking a more pragmatic approach. It has stated that it has no plans to take any immediate enforcement action, because it will take time for organisations to migrate from Safe Harbor to an alternative means of ensuring adequate protection for data transfers to the US.
German Data Protection Commissioners
At the other end of the scale, some German Data Protection Commissioners have stated that any transfer of personal data to the US will be in breach of the Data Protection Directive, and appear to be champing at the bit to take enforcement action.
For organisations operating across Europe, this divergence of approaches by the regulators is unhelpful, to say the least.
Prior to the Snowden revelations and the Schrems judgement, the US and Europe had been in discussions for some time about 'Safe Harbor 2.0'. Those discussions came about due to ongoing concerns within European institutions about how robust Safe Harbor protection was in practice. It is hoped that the outcome of the Schrems case will energise and accelerate these discussions. However, to date we have not seen any concrete proposals about how US national security priorities can be balanced against European privacy concerns.
There is no defined timetable for when the 'Safe Harbor 2.0' discussions will be finalised. Given the seemingly irreconcilable objectives of the parties involved in the discussions, together with the range of other political and policy objectives currently vying for attention on both sides of the Atlantic, perhaps this is not surprising.
We recommend that as a first step organisations carry out an audit as a matter of urgency to identify all arrangements where personal data is being exported to the US, and identify any transfers that may potentially be affected by the Schrems judgement. The audit should identify:
Once the audit is complete, a review should be undertaken to identify the highest risk transfers (e.g. transfers involving large volumes of data or particularly sensitive personal data) and the steps that need to be taken to ensure that adequate protection is in place for that data as a priority.
There are a number of exemptions from the prohibition on transferring personal data outside of Europe. These include obtaining consent from individuals to the transfer or transferring data necessary for the performance of a contract. The circumstances on which these exemptions can be safely relied upon tend to be limited in scope. However, it is worthwhile considering whether any data transfers can be legitimately carried out on this basis, and taking further advice where this is not clear cut.
There is a danger that a careful audit of data transfer activities within a business may reveal a problem that is difficult to fit into any solution currently available.
On the one hand, overseas data transfer is an essential part of doing business in the payment services industry. It is also part and parcel of driving innovation and efficiency in the industry, because it facilitates links between disparate parties and systems and underpins new business models, most prominently Cloud-based computing and services. These types of services are predominantly provided by companies based in the US. Given the combined size of the payment services industry across the US and Europe, transatlantic data transfers are difficult, if not impossible, to avoid for many payments businesses.
On the other hand, EU-based payments businesses looking to realise the benefits of transferring data to the US need to ensure that they comply with their regulatory obligations, including Financial Conduct Authority (FCA) rules (in the UK, or the equivalent in their jurisdiction) and data protection requirements. Equally, service providers need to demonstrate that they will not jeopardise the compliance status of their customers. This includes complying with the prohibition on transferring personal data to the US without adequate protections.
Recent FCA guidance on outsourcing to the Cloud – including outsourcing personal data - states that there is “no fundamental reason why cloud services…cannot be implemented, with appropriate consideration, in a manner that complies with our rules”. So, the key question for those working in the payments sector is what constitutes “appropriate consideration” with regard to data transfers to the US?
Unfortunately, in the absence of any applicable data protection exemptions (see above), after the Schrems judgement it is unlikely that any method of transfer to the US will guarantee compliance with European data protection requirements. Whilst commentators have called for the acceleration of 'Safe Harbor 2.0' to plug the gap left by Schrems, the prospect of the EU and their US counterparts agreeing to this any time soon appears remote.
For the time being, European organisations are left with a stark choice between pulling all of their personal data out of the US (with all the costs implications and contractual complexities that this would entail) or 'making do' with their own adequacy checks and alternative arrangements (most likely the EU Model Contract clauses) and hoping that European regulators will agree that this is sufficient. But hope is not a strategy that many will feel comfortable relying on.
First published by Payments Compliance on 30 November 2015.
This publication is intended for general guidance and represents our understanding of the relevant law and practice as at December 2015. Specific advice should be sought for specific cases. For more information see our terms & conditions on www.TLTsolicitors.com