On 6 October 2015, the Court of Justice for the European Union (CJEU) ruled that the Safe Harbor gateway, which was one of the easier ways of lawfully transferring personal data to the US, is no longer valid. For more on this ruling, see our previous article.
This decision has caused considerable consternation, not just in Europe, but also in the US. After the initial impact of the judgment, further ramifications are being felt even now, one month after the judgment was released.
The American chair of the FTC has recently admitted that the decision has impacted the insular American administration, comparing it to an earthquake measuring 7.8 on the Richter scale.
The initial response of both the European Commission and Information Commissioner was to suggest that organisations should consider transferring from a Safe Harbor arrangement to an alternative method, such as utilising Model Contract Clauses or Binding Corporate Rules. However, this may only afford a temporary respite.
One of the most interesting points is the difference of approaches between the Article 29 working group (which comprises representatives of all the European Data Protection Supervisory authorities and some other bodies), the UK Information Commissioner, and some German Data Protection Commissioners.
All of these bodies have indicated that the impact of the CJEU judgment is wider than just Safe Harbor transfers to the States. Although they consider that there could be implications for the other two main ways used to permit the lawful transfer of personal data to the US, (namely, transfers to the US under Model Contract Clauses or Binding Corporate Rules), their approaches appear to be different.
Some German Data Protection Commissioners have gone as far as to say that any transfer of personal data to the US would breach the Data Protection Directive, and appear to be chomping at the bit to take enforcement action.
The Article 29 working party has stated that it considers any transfers made under the Safe Harbor agreement to be unlawful, and it will consider taking enforcement action in respect of transfers made to the US, under either Model Contract Clauses or Binding Corporate Rules, from the end of January 2016.
The Information Commissioner's Office is taking a more practical approach. It says it has no plans to take any enforcement action for the foreseeable future, as it appreciates that it will take time to migrate from Safe Harbor to an alternative. However it accepts the position of the Article 29 working party that the CJEU's decision extends to more than transfers made under Safe Harbor.
Whilst this may re-assure data controllers established in the UK, if they operate or process personal data in other European states it would be prudent of them to review the other major data protection decision of the CJEU last month, in Weltimmo. This decision potentially exposes organisations based in the UK to enforcement action by other European Data Protection Commissioners if they consider that the organisation has transferred data to the US and, in doing so, breached the obligation not to transfer personal data to a state that does not have appropriate legislative safeguards in place to protect personal data.
There are a variety of exemptions that can be applied in relation to specific transfers. These include where the transfer is necessary for the purposes of legal proceedings, or where the transfer is necessary for the purpose of the conclusion or performance of a contract.
Whilst the current European Data Protection Directive contains various approaches to permit the transfer of personal data to non EEA states, none of the alternatives, other than the express consent of the data subject, appear to be able to withstand the impact of the CJEU's judgment.
Even the express consent of the data subject may not be effective. For consent to be valid it must be informed and freely given. It could be argued that if individuals provided consent before being made aware of the likely access of their personal data by the American intelligence services, then it was not fully informed and, as such, there could be an obligation to obtain fresh consent.
On 6 November 2015 the EU published a communication recognising the Article 29 working party conclusions and setting out the progress on the negotiations on Safe Harbor 2.0. It indicates that currently there does not appear to be any effective long term alternative to permit the routine transfer of personal data, other than the anticipated Safe Harbor v2.0. They therefore hope to have a finalised version agreed within three months.
As recommended in our previous update, organisations need to identify all arrangements where data is being transferred to the US and the basis of such transfers. As an interim step, suppliers could be asked to sign up to model contract clauses in place of relying on Safe Harbor. It is also worthwhile considering whether any of the exemptions to the prohibition on overseas transfers apply to particular arrangements (for example where the transfer is necessary to perform a contract with the data subject). In the longer term it is hoped that Safe Harbor 2.0 will be agreed by the US and EU in time to meet the end of January deadline for enforcement action.
Although the UK Information Commissioner is taking a pragmatic approach, if your organisation operates or processes personal data from outside the UK, the Weltimmo judgment may impact you. The ruling means that other data protection commissioners, who may be less understanding, may be able to take enforcement action against your organisation from 1 February 2016 if personal data from data subjects in their country is transferred to the US. It would be prudent to identify whether or not, using the criteria set out in the Weltimmo judgment, your organisation is either intentionally or inadvertently established in any other EU states.
If none of the exemptions apply then you should consider whether any other contingency measures can be undertaken to mitigate the impact of the judgment post 1 February 2016, if Safe Harbor 2.0 has not been agreed by then.
The worst case scenario would obviously be that your organisation needs to cease transferring personal data to the US. This approach has been suggested by more than one German Data Protection Commissioner, and this may be one of the factors driving the softening of the US Administration's position in respect of the protracted Safe Harbor 2.0 negotiations.
The IT industry has also realised that this is a real risk and this is likely to be one of the main reasons why many of the larger cloud computing providers, such as Microsoft and Amazon, are rushing to implement European based data centres and have announced, within the last month, plans to build data centres in the UK.
This publication is intended for general guidance and represents our understanding of the relevant law and practice as at November 2015. Specific advice should be sought for specific cases. For more information see our terms & conditions on www.TLTsolicitors.com