Safe Harbor is History

The recent October 6 judgment of the Court of Justice of the European Union (CJEU) on issue C-362/14, commonly known as the “Schrems Decision,” effectively invalidates the international transfer of data in the Safe Harbor Agreement. This means that in our country (and throughout the European Union) any international transfer of data to the US is likely to be considered invalid and not protected by law. This constitutes a serious offense, punishable in Spain with a fin... The recent October 6 judgment of the Court of Justice of the European Union (CJEU) on issue C-362/14, commonly known as the “Schrems Decision,” effectively invalidates the international transfer of data in the Safe Harbor Agreement. This means that in our country (and throughout the European Union) any international transfer of data to the US is likely to be considered invalid and not protected by law. This constitutes a serious offense, punishable in Spain with a fine of up to EUR 600,000 by the Spanish Data Protection Agency (Agencia Española de Protección de Datos). The negative fallout of the judgment was confirmed on October 16 by the Article 29 Working Party (Art. 29 WP), which includes, among others, the data protection authorities from EU member states. In a joint statement, the Art. 29 WP gave clear indications about the near future, calling on North American and EU authorities to seek “political, legal, and technical solutions” to ensure the viability of data transfers. Underlying the statement is the notion that it is pointless to protect data in the EU if it is transferred to countries whose systems offer fewer safeguards than those in Europe, such as the US, where the existence of “massive and indiscriminate surveillance” has become public knowledge since the Snowden case. Historically, the EU has repeatedly asserted that the Safe Harbor solution did not guarantee the fundamental rights of European citizens and the Schrems matter has triggered the stagnation of what was an open secret –the inadequacy of the Safe Harbor mechanism– which had become a utilitarian certification, lacking any real control or supervision. In an ultimatum, the Art. 29 WP has given until the end of January 2016 to find an appropriate solution from an EU perspective. Otherwise, “EU data protection authorities are committed to take all necessary and appropriate actions, which may include coordinated enforcement actions.” An uncertain scenario lies ahead in the coming months, given the tough decisions that will have to be taken by both national authorities and the companies affected by the ruling. Where does this leave us? How can we prevent possible sanctions and maintain a constant flow of data with our parent companies and subsidiaries in the US? From a national perspective, current data protection law establishes the following as valid channels through which to conduct international data transfers to the US, once the Safe Harbor option is eliminated: | Authorization from the Agency Director, providing a contract between the parties that meets the required guarantees issued in the various decisions of the European Commission (Standard Contractual Clauses, “SCC”). | Exceptions provided for under Article 34 of the Spanish Organic Act 15/1999 on Personal Data Protection (Ley Orgánica 15/1999 de Protección de Datos de Carácter Personal, LOPD), including the unequivocal consent of the affected party. | Binding Corporate Rules (BCR), understood as internal rules and protocols adopted by companies of the same multinational group, tailored to the requirements of each national standard. These solutions may also be affected by the rationale underlying the Schrems Decision, that being, if the recipient country does not offer the necessary guarantees, a contract with standard clauses or specific multinational BCRs will not ensure the required protections and could be subject to dispute by those affected and by the National Authority itself when processing them. Furthermore, the new EU Regulation on data protection, which is expected to be approved in late 2015, will doubtless take this decision into consideration, likely affecting the measures established therein. As a Regulation and not a Directive, these measures will be mandatory in member countries, adding an additional element of uncertainty to an already confusing scenario. As of today, in a show of caution, the Spanish Data Protection Agency has not taken a position on what it views as the best option and assures, in the words of its officials in a recent Strategic Plan presentation, that it is in constant contact with its European counterparts to find effective, guaranteed solutions, but must wait, because the Art. 29 WP, according to its joint statement, wishes to act with “a robust, collective and common position on the implementation of the judgment.” So, what is the best option considering the factors currently at play? In our view, given the uncertainty of the situation, it is advisable to act calmly, though with a conservative position that protects the interests of our companies. Of the many alternatives to joining the Safe Harbor, all have legal risks, elevated implementation costs, and would require considerable time to design and enact, but in our view, we cannot wait for an eventual reaction from the authorities, particularly given the significance that security risks assume in the US and its comparatively minimal concern for safeguarding privacy, practically non-existent in its own legislative corpus. At JAUSAS, with the recommended prudence, we will seek the most efficient option for our clients on a case by case basis, analyzing the effects of each one and weighing alternative or cumulative options to mitigate risks, including the strictly technical, such as the relocation of certain globalized IT processes, always aiming for Safe Harbor from a legal perspective in whatever solution we reach on this issue.