We are commenting a press release summarising the remaining concerns surrounding the privacy shield arrangement relating to international transfers of personal data from the EU to the US, from the perspective of the Dutch DPA.
According to the European Court of Justice’s invalidation of the Safe Harbour mechanism, which allowed the transfer of personal data to U.S. companies certified under the Safe Harbour Program, it is no longer possible to transfer data to the U.S. based on the above mentioned Agreement.
In November 2015, the Spanish Data Protection Agency (AEPD) sent a letter to all companies that operate in Spain and had previously notified the AEPD of cross-border data transfers to Safe Harbour certified companies. This communication outlined that Safe Harbour certifications were no longer valid. In this regard, the AEPD stated that companies must implement other mechanisms to continue transferring data under the aforementioned Program. In particular, the AEPD is requiring the companies to inform not later than January 29, 2016 of any mechanisms that have been implemented to ensure adequate protections for personal data transferred to importers in the United States.
Finally, last December, the AEPD issued a new communication on the implementation of the judgment of Safe Harbour which is the object of analysis in the assessment.
This news release and guidance document from the Danish DPA provides contextual background information on the declaration by the EU court of the invalidity of the Safe Habor agreement between the US and the EU on the transfer of personal data. The European Court of Justice (ECJ) had, on 6 October 2015, issued a judgement on a preliminary ruling by the Irish High Court, in a case between the Austrian citizen Maximillian Schrems and the Irish Data Protection Commissioner.
It further provides guidance on other legal arrangements for the transfer of personal data to the US (appropriate contractual provisions, the Commission’s model contracts, and binding corporate rules), and action being taken by both the Danish DPA and in concert with other EU DPAs.
On November 19, 2015, the French Data Protection Authority (CNIL) published a guidance, including a set of frequently asked questions, to assist companies that are transferring personal data to the U.S. pursuant to the Safe Harbor framework.
The CNIL clarified that the DPAs are still analysing the impact of the CJEU ruling on BCRs and EU Model Clauses, but have decided to allow companies to rely on them temporarily. In addition, in order to speed up the process, the French Data Authority pointed out that EU Model Clauses are the most suitable mechanism, since personal data must be protected immediately and the implementation of BCRs takes several months.
The guidance does not make any reference to other data transfer mechanisms in particular, to derogations (such as data subject consent), which always has been narrowly interpreted by the CNIL.
Besides, the CNIL stated that companies must amend their existing reports by the end of January 2016 to either declare that their data transfers to the U.S. have ceased, or even to specify that the data transfers will be based on another data transfer mechanism (EU Model Clauses).
Finally, the CNIL specified that in the absence of a Safe Harbour 2.0 for the beginning of next year, the European DPAs would assess the possibility of using their enforcement powers to suspend or forbid data transfers to the U.S.
On 22 October 2015, the Italian Data Protection Authority (GDPD) issued a provision following the recent judgment of the Court of Justice of the European Union in the case Schrems v. Facebook, which declared invalid the system set up under the Safe Harbour.
As a direct consequence, the GDPD has explicitly forbidden any data transfer between both countries. Thus, it might carry out inspections on the transfer at any time and, if necessary, to adopt effective measures provided under the Italian Data Protection Code. Besides, the implementation of other alternatives is encouraged in order to ensure compliance with the Italian regulations on the protection of personal data.
Finally, GDPD suggested some instruments to lawfully transfer the data of Italian citizens, i.e. Standard Contractual Clauses (SCC), Binding Corporate Rules (BCC) or the consent of data subjects.
The issues dealt with in the judgement are complex. While they will require careful consideration, what is immediately clear is that the Court has reiterated the fundamental importance attaching to the right of individuals to the protection of their personal data. That is very much to be welcomed.
In articulating the level of responsibility that the national data protection authorities in each member state will bear, the judgement also clarifies the mechanisms by which data privacy rights must be protected by national data protection supervisory authorities, and the relationship between those authorities and the European Commission.
The judgement will now be considered by the Irish High Court, the High Court having referred a number of questions to the CJEU in relation to the “safe harbour” scheme in July 2014. I immediately instructed the DPC legal team this morning to take whatever actions are necessary to bring the case back as soon as practicable before the Irish High Court. The High Court has listed the matter for Tuesday 20 October at 10.15am.
In declaring the old “safe harbour” rules invalid, however, the significance of the judgement extends far beyond the case presently pending in Ireland. In that regard, my Office will immediately engage with our colleagues in other national supervisory authorities across Europe to determine how the judgement can be implemented in practice, quickly and effectively, particularly insofar as it impacts on EU/US data transfers.”
See also the Statement from Data Protection Commissioner, Helen Dixon in respect of High Court Case 2013/765 JR – Schrems of 20 October 2015, (https://www.dataprotection.ie/viewdoc.asp?Docid=1498&Catid=66&StartDate=1+January+2015&m=n%29) which states “I welcome today’s ruling from Judge Hogan which brings these proceedings to a conclusion. My Office will now proceed to investigate the substance of the complaint with all due diligence.” This refers to the High Court of Ireland judgement Schrems -v- Data Protection Commissioner.