Following the fall of Safe Harbor:
next steps regarding data privacy
By Jan Pohle and Dr. Judith Nink
In its groundbreaking judgment of October 6, 2015, the Court of Justice of the European Union (CJEU) declared the US Safe Harbor framework invalid and confirmed the right of individuals to challenge any similar adequacy decisions that may be established by the European Commission through their national data protection authorities. The decision has attracted international attention, both in the European Union (EU) as well as in the United States (US). Now, more than one month after the CJEU ruling, numerous statements have been published and companies are being confronted with the impacts of the decision.
Overview Safe Harbor
The European Data Protection Directive 95/46/EU permits data transfers in countries outside the EU or European Economic Area (EEA) if an adequate level of data protection, comparable to the one within the scope of the European Data Protection Directive 95/46/EU is ensured in the country and/or with the company receiving personal data.
The Safe Harbor framework was established 15 years ago to enable European businesses to transfer personal data from the EU to the US in line with legal requirements in this area. US companies that joined Safe Harbor (over 4,500 companies) and thereby accepted the framework of data protection provisions were considered to provide an adequate level of data protection. It was commonly used for the transfer of data essential for proper intra-group operations and for outsourced services involving a US cloud or software-as-a-service provider.
The Safe Harbor decision
The CJEU judgment declared Safe Harbor to be invalid. As a consequence, data transfers to the US on the basis of Safe Harbor are no longer permitted. Due to the mass surveillance of all areas of life by US secret services, Safe Harbor is no longer deemed suitable for providing adequate protection of data privacy. US companies may at any time be asked by US authorities to disclose personal data. In these cases, the companies are obliged to follow the instruction and thus to neglect Safe Harbor principles. There are no existing regulations intended to restrict this kind of invasion of privacy and affected individuals have no legal recourse in this regard. The invalidity of Safe Harbor shall apply from the date of the decision and not retroactively. The judgment will not apply retroactively to data transfers that have already been made before the judgment was announced.
The status quo
The CJEU decision will have major consequences for all kinds of businesses that relied on Safe Harbor as a stable basis for legitimate data transfers. They will now be compelled to change their approach regarding cross-border data flows. Various organizations have already published their positions regarding the future course of action.
Article 29 Data Protection Group
The Article 29 Working Group has granted a grace period to the EU Commission and US authorities of the end of January 2016 to find a solution for data transfers to the US that will be suitable to ensure sufficient protection of EU citizens’ rights. The Article 29 Working Group further announced that if, by the end of this term, no appropriate solution has been found with the US authorities and, depending on the assessment of alternative tools for data transfers, data protection authorities will take all necessary and appropriate measures, including coordinated enforcement actions. Data transfers on the basis of Safe Harbor have been declared inadmissible with immediate effect while Standard Contractual Clauses and Binding Corporate Rules (BCR) are still considered sufficient for ensuring an adequate level of data protection for data transfers to the US – this is at least the case until the end January 2016. However, this will not prevent competent DPAs from investigating individual cases when triggered by a complaint and to take appropriate measures to ensure the protection of individuals’ data.
Data protection commissioners in Germany
The Conference of the Data Protection Commissioners (DSK) in Germany formally welcomed the deadline of January 31, 2016 set by the Article 29 Working Group. Nevertheless, they are quite vague about further procedures. For example, DSK has questioned the admissibility of data transfers to the US based on other instruments, such as Standard Contractual Clauses or BCR, in the light of the CJEU’s ruling, but did not offer any alternatives. Hamburg’s data protection commissioner stated that further measures (such as prohibition orders and penalties) to stop unlawful data transfers based on Safe Harbor will be taken from February 2016.
Possible alternatives to Safe Harbor
While German DPAs do not have a clear common position with regard to other instruments such as EU Standard Contractual Clauses and BCR and to what extent they ensure an adequate level of data protection, the EU Commission stated that both instruments may be considered as a legal basis for data transfers to the US.
German data protection authorities
Except for the position published by the DSK and further statements by German federal DPAs, the most interesting positions have been published by the DPA in Hamburg and Schleswig-Holstein
Hamburg’s data protection commissioner stated that the EU Standard Contractual Clauses and BCRs are considered to be a valid basis for data transfers, as long as the European and German DPAs do not come to a different conclusion. The commissioner further stated that if the EU Commission comes to the conclusion that the US can ensure an adequate level of data protection, the decision will be binding for all EU Member States. No national DPA shall be able to suspend this decision.
The DPA in Schleswig-Holstein does not consider the EU Standard Contractual Clauses to provide a sufficient level of protection. This position is based on the fact that, in the context of the EU Standard Contractual Clauses, the data importer guarantees to the data exporter that to the extent of its knowledge there is no relevant legislation to prevent the data importer from fulfilling the instructions received from the data exporter and its obligations under the contract. Due to the extensive access rights of the US secret services to personal data, no US company will be able to provide a reliable guarantee in this regard. Instead of creating contractual arrangements, the US should rather change its data protection regulations in order to ensure the adequate level of data protection for data coming from the EU. Indeed, the DPA in Schleswig-Holstein has not included BCRs expressly in its statement but as BCRs are contractual provisions as well and the rights of the US authorities shall remain the same, it can be assumed that the DPA Schleswig-Holstein will no longer tolerate BCRs either.
EU Commission guideline
On November 6, 2015, the European Commission issued a non-binding guidance on alternative basic principles for transfers of EU personal data to the US:
>> The two sets of EU Standard Contractual Clauses as approved by the European Commission can be used as a legal basis for EU data transfers to the US. As the Commission’s decisions are binding in their entirety in EU Member States, incorporating the EU Standard Contractual Clauses in a contract means that national DPAs are, in principle, under an obligation to accept the clauses where they have been used without amendment. This is without prejudice to their power to examine the clauses in light of the CJEU ruling.
>> BCRs allow the transfer of personal data worldwide among the entities belonging to one group. BCRs are not only binding for members of the corporate group but are also enforceable in the EU.
>> Derogations, as but not limited to public interest grounds, free and informed consent of the individual etc., may also apply. However, the Article 29 Working Party considered that, due to their exceptional nature, the derogations must be very strictly interpreted. This circumstance is not really new to German companies.
Declaration of consent as a less attractive alternative
For data transfers to the US, companies may, of course, also obtain consent from individuals. Such consent would (a) ensure a permission for data transfers to the US and (b) give a kind of waiver for an adequate level of data protection. However, in reality as it is very challenging for companies to obtain a declaration of consent from each affected person, the CJEU decision might make full compliance with requirements for obtaining valid consent under German law even more difficult. The transferring party must not only provide information regarding the categories of data, the receiving party, purpose of processing, right to rejection and the inadequate level of data protection in the US, but also about missing enforcement and deletion, blocking and erasure rights of the affected individual. Further, such consent is not suitable for mass data transfers.
The DPA in Schleswig-Holstein is of the opinion that obtaining a declaration of consent for data transfers to the US is no longer possible because the groundless mass surveillance as practiced by the US affects the fundamental right of individuals for a private life and protection of personal data. The individual has no means to influence the disclosure of personal data. As data protection laws are primarily intended to protect the right of the individual to decide who may have access to personal information and to what extent, the DPA Schleswig-Holstein’s position is too extensive and would restrict the individual to an unacceptable extent. As the other DPAs haven’t adapted this position and while the DSK mentions the declaration of consent as a possible alternative in individual cases, it must be considered as an outsider position. Of course, data transfers can be structured based on a declaration of consent provided that the respective company would meet all the requirements when obtaining the declaration of consent.
Safe Harbor 2
The European Commission has already started new negotiations with the US authorities and it aims for agreement on a new data sharing arrangement with the US (Safe Harbor 2) as soon as possible. However, it is not yet foreseeable when this arrangement will come into force. While the EU Commission has mentioned a period of 3 months, the end of March 2016 has also been mentioned. At least, the timeline will depend on when the US government will enforce sufficient rights for European individuals to enforce their data protection rights in US and limit access to personal data.
Summary and outlook
In summary, as EU Standard Contractual Clauses have not been declared invalid, entering into EU approved Standard Contractual Clauses is currently the safest way to structure processing and/or transfer of personal data from Germany to the US. BCRs may continue to be used as well. Companies are not advised to wait for the Safe Harbor 2 agreement as DPAs will start enforcing the CJEU ruling beginning in February and it is very unlikely that EU and US will have agreed on a Safe Harbor 2 agreement by then.
Further, companies in Germany should monitor publications of the DPA responsible for the company. Even if the position of Schleswig-Holstein’s DPA is debatable from the legal point of view, companies in Schleswig-Holstein are advised to be very careful with transferring data to the US.