DPAs react to the CJEU's decision on Safe Harbor
Since the CJEU's decision of 6 October 2015 revoking the EU/US Safe Harbor program, Safe Harbor continues to make the headlines and there are new legal developments each day. This blog post summarizes the public statements that were made in recent days by the data protection authorities (DPAs) in the EU and regulators in other parts of the world.
Reaction of the European DPAs
On 16 October 2015, the Article 29 Working Party (WP 29) issued a public statement which says that the DPAs have discussed the consequences of the CJEU's decision. The position of the WP 29 is summarized below.
What is the WP 29's analysis of the CJEU's decision on Safe Harbor?
Unsurprisingly, the WP 29 says "it is clear that companies can no longer rely on Safe Harbor to transfer their data to the US". If companies are still doubting whether their transfers under Safe Harbor are lawful, the WP 29 confirms that "transfers that are still taking place under the Safe Harbor decision are now considered to be unlawful".
The WP 29 also states: "It is absolutely essential to have a robust, collective and common position on the implementation of the judgment".
The WP 29 highlights that "the question of massive and indiscriminate surveillance is a key element of the Court's analysis" and "such surveillance is incompatible with the EU legal framework". The WP 29 makes a particularly bold statement by saying that "countries where the powers of state authorities to access information go beyond what is necessary in a democratic society will not be considered as safe destinations for transfers", which it would seem is addressed at the US authorities.
What should companies do?
Unfortunately, the WP 29 does not provide a lot of practical guidance for companies. It simply says that "businesses should reflect on the possible risks that they are taking when transferring data and should consider putting in place any legal and technical solution in a timely manner to mitigate those risks and respect the EU data protection acquis".
Two points are worth highlighting. First, the WP 29 calls upon companies to assess their level of compliance for all types of data transfers, not just those that are based on Safe Harbor. Second, companies need to do so in a "timely manner" which is the WP 29's way of saying that there is no time to lose. Those companies who have already begun to implement measures to enforce the Safe Harbor decision are in a better position compared with those who haven't.
Does the CJEU's decision affect other data transfer mechanisms (e.g., the EU Model Clauses and Binding Corporate Rules)?
The WP 29 says that it "will continue to analyse the impact of the CJEU's judgment on other data transfer tools", which in itself is not very reassuring given the reactions of some of the DPAs. In Germany, for example, the data protection authority for the German state of Schleswig-Holstein issued a position paper in which it declares the EU model contract clauses invalid.
Nonetheless, the WP 29 does convey a more reassuring message to companies by saying that "EU model clauses and BCR can still be used". At this point, it is difficult to predict what will be the impact of the Safe Harbor decision on Model Clauses and BCR and so we will continue to monitor the situation in the weeks to come.
How will the DPAs enforce the CJEU's decision?
The good news is that the WP 29 has granted a grace period to find an appropriate solution with the US authorities. The bad news is that this grace period will expire at the end of January 2016, which leaves very little time for companies to adapt.
Until then, if no solution has been found (a Safe Harbor 2.0?) and depending on the assessment that is made by the WP 29 of the other data transfer mechanisms, then "the DPAs are committed to take all necessary and appropriate actions, which may include coordinated enforcement actions". As we have seen in recent months on other issues (such as mobile apps and cookies) the DPAs have demonstrated their ability to conduct pan-European enforcement actions. However, one should not forget that, even if the DPAs do launch a coordinated enforcement action, the actual enforcement measures can only be pronounced by each DPA at a national level. And the new enforcement provisions under the upcoming General Data Protection Regulation (GDPR) will not come into force before 2018 (assuming the text of the GDPR is formally adopted in 2016).
In the meantime, the WP 29 reminds that each national DPA can "investigate particular cases, for instance on the basis of complaints, and exercise their powers in order to protect individuals", which means that each DPA can act independently against any company in accordance with its national law.
The WP 29 also says that the DPAs "will also put in place appropriate information campaigns at national level to ensure that stakeholders are sufficiently informed", which may include "direct information to all known companies that used to rely on the Safe Harbor decision as well as general messages on the DPAs' websites". And so, companies who have filed their DPA notifications and/or obtained the approval of the DPAs to transfer data to the US on the basis of Safe Harbour could be contacted by the DPAs in the days or weeks to come and should therefore be prepared to explain to the DPAs what remediation measures they have put in place.
What next?
The WP 29 says that it "is urgently calling on the EU Member States and the European institutions to open discussions with the US authorities in order to find a political, legal and technical solution that enables companies to transfer personal data to the US in compliance with respect for fundamental rights. Such solutions could be found through the negotiations of an intergovernmental agreement providing stronger guarantees to EU data subjects". It is interesting to note that the WP 29 does say that "the current negotiations around a new Safe Harbor could be a part of the solution" and so it has willingly left that window open.
The WP 29 also states: "The task that lies ahead to find a sustainable solution in order to implement the CJEU's decision must be shared between the DPAs, the EU institutions, EU Member States and businesses". With the GDPR soon to be adopted, this will be a challenge to get all the stakeholders to agree on a new Safe Harbor framework that complies with the provisions of the GDPR.
Reaction of the regulators in other parts of the world
The Safe Harbor decision has also caused a ripple effect beyond the European Union borders and regulators in other parts of the world have also reacted to the CJEU's decision.
United States:
The US Department of Commerce published an advisory on the Safe Harbor website stating: "In the current rapidly changing environment, the Department of Commerce will continue to administer the Safe Harbor program, including processing submissions for self-certification to the Safe Harbor Framework". Once fails to see how the Department of Commerce can actually continue to process submissions for self-certification to Safe Harbor when clearly such transfers are now unlawful under European law.
Israel:
On October 19th, the Israeli Law, Information and Technology Authority (ILITA) issued a statement in which it revokes its prior authorization to transfer data from Israel to the U.S. on the basis of Safe Harbor. Pursuant to the data protection laws of Israel, transfers of data outside of Israel to third countries is permitted if the data is sent to a country that receives data from the EU under the same terms of acceptance. However, the CJEU's decision invalidates the authorization to transfer personal data from Europe to companies committed to the Safe Harbor. Consequently, the position of ILITA is that organizations can no longer rely on this derogation as a basis for the transfer of personal data from Israel to organizations in the United States.
In the absence of an alternative valid arrangement or another formal decision of the EU with respect to the transfer of data from the EU to the US, companies who want to transfer personal data from Israel to the US are therefore required to assess whether they can legitimize their transfers on one of the other derogations set out in the data protection law of Israel.
Switzerland:
On 7th October, 2015, the Swiss Data Protection Authority (FDPIC) issued a first press release on its website stating that the Swiss/US Safe Harbor decision "is also called into question" by the CJEU's decision. "As far as Switzerland is concerned, in the event of renegotiation, only an internationally coordinated approach that includes the EU is appropriate."
On 22nd October 2015, the FDPIC made a second statement which says that "as long as Switzerland has not renegotiated a new Safe Harbor Framework with the United States, Safe Harbor cannot be deemed a valid legal mechanism for transferring personal data to the US." It would seem, therefore, that without officially revoking the Swiss/US Safe Harbor program, it is de facto no longer possible for Swiss based companies to transfer personal data to the US on the grounds of Safe Harbor.
Without explicitly mentioning any enforcement actions, the FDPIC calls upon businesses who are transferring personal data to the US to adapt their contracts with US companies before the end of January 2016. The FDPIC will also coordinate with the EU DPAs to determine what other actions may be required to protect the fundamental rights of the individuals.
By Olivier Proust