ICO blog post on the impacts of the collapse of the Safe Harbour arrangement following the Court of Justice of the European Union’s decision on the Schrems case, finding that the Safe Harbor arrangement did not ensure adequate protection for personal data transferred from the EU to the US in line with the eight data protection principle. The post includes some contextual background, the implications for organisations, the need to act, and potential future developments.
On February 2016, the European Commission (EC) and the United States (US) agreed on a new framework for transatlantic data flows: the EU-US Privacy Shield. The new legal text replaces the Safe Harbour framework which declared invalid by the Court of Justice (CJEU) last October.
This new framework includes not only commitments in the commercial sector, but also access to personal data by public authorities for national security purposes. Furthermore, the draft “adequacy decision” has been included for all US companies providing services on the EU market.
The Data Protection Commissioner (DPC) has inadvertently found itself in the position of chief data regulator for the EU. According to Germany and other EU member states, Ireland’s data protection regime is too lenient, despite efforts made by the data protection commissioner.
Most of Europe’s largest technology organisations have a base in Ireland. Thus, any impediment to their ability to do business in Europe would affect Ireland most since companies are worried about personal data transfers to US.
Therefore, the DPC is taking a cautious stance on the new data protection framework. A blizzard of tech rulings is expected to be given in the following weeks.
<< European privacy regulators, collected in the Article 29 Working Party, during a meeting on 2 and 3 February discussed the implications of the “Schrems ruling ‘of the European Court of Justice for transfers of personal data to other countries. They welcome the fact that the negotiations held between the EU and the US have resulted in agreement on the introduction of a EU-US privacy shield ‘for the deadline the regulators in October. Commissioner Jourová (Justice) undertook within three weeks of the draft decision with all supporting documents to send the European supervisors requesting the European Commission to advise on this. The supervisors will review the content on the basis of those documents or the new agreement meets the requirements of the European Court of Justice and to an additional meeting together.
The content of the documents needed to know exactly what the legal value of the outcome of negotiations and to assess whether it meets the broader concerns that have arisen about the transfer of personal data to the US In their analysis, the supervisors also take the question to what extent the ‘EU-US privacy shield’ other legal bases, such as Standard Contractual Clauses and Binding Corporate Rules for transfer of personal data can reinforce legal. The supervisors will primarily evaluate whether their concerns can be overcome with regard to the legislation in the US by the introduction of a EU-US privacy shield.
The supervisors indicated that existing Standard Contractual Clauses and Binding Corporate Rules may continue to be used in the meantime, but that they will include in their assessment of whether this also applies to the future.
The regulators have in recent weeks assessed the current relevant legislation and the work of US intelligence agencies and the conditions under which appointed an infringement of the fundamental right to personal data protection is justifiable. The supervisors will announced by the European Commission ‘EU-US privacy shield’ analysis according to guarantee this. These guarantees for intelligence activities derive from the case law of the Court of the European Union and the European Court of Human Rights. It’s about:
- The data must be based on clear, precise and accessible rules. This means that it should be clear to those concerned what might happen to their data if they are transferred to other countries.
- The necessity and proportionality must be demonstrated. A balance must be struck between the purpose for which the data are collected and used (national security) and the rights of those involved.
- Some form of independent monitoring should be in the country where the data are processed. This supervision must be effective and impartial. This could be a right-hand or has a different independent body, as long as sufficient possibilities to carry out the necessary checks.
- Data subjects must be able to effectively appeal. Everyone should have the right to assert his rights before an independent body.
Supervisors emphasize that these four safeguards should be both respected when personal data are transferred from the EU to the US and other third countries, and the EU countries themselves. .>>
The Company XY has contacted Agency with a request about the companies which imports data on the basis of Safe Harbor certificate, and that personal data shall be submitted to these companies as a part of the technical solution Verdasys and hotline for whistleblowers. In previous letters the mentioned company states that the tool Verdays and hot line are not designed or intended to control the content of electronic mail or other electronic communication, but they have a role to control the other parameters such as the size of documents to be sent (via e-mail, pen-drives CD recorder, etc.) and the potential infiltration through cyber attacks or improper use of trade secrets or other business information. Tool Verdasys identifies a person just in case of a warning due to suspicious activity in order to carry out further investigations. In the few cases when further investigation is necessary, an employee who is being investigated is informed of charges against him, and also he/she and the other participants are being informed of their right to protection of personal data.
According to the European Court of Justice’s invalidation of the Safe Harbour mechanism, which allowed the transfer of personal data to U.S. companies certified under the Safe Harbour Program, it is no longer possible to transfer data to the U.S. based on the above mentioned Agreement.
In November 2015, the Spanish Data Protection Agency (AEPD) sent a letter to all companies that operate in Spain and had previously notified the AEPD of cross-border data transfers to Safe Harbour certified companies. This communication outlined that Safe Harbour certifications were no longer valid. In this regard, the AEPD stated that companies must implement other mechanisms to continue transferring data under the aforementioned Program. In particular, the AEPD is requiring the companies to inform not later than January 29, 2016 of any mechanisms that have been implemented to ensure adequate protections for personal data transferred to importers in the United States.
Finally, last December, the AEPD issued a new communication on the implementation of the judgment of Safe Harbour which is the object of analysis in the assessment.
Maciej Kawecki, Bureau of the Inspector General for Personal Data Protection, Poland
Dariusz Kloza, Vrije Universiteit Brussel, Belgium
While the work on the General Data Protection Regulation slowly comes to an end, recently causing both self-reflection and worldwide heated debates on its prospects, there is no doubt two particular judgments of the Court of Justice of the European Union from October 2015 gained no less attention. Obviously we have in mind judgements in widely-debated Schrems and in yet-not-so-popular Weltimmo cases, whose influence on the regulation of personal data protection in Europe and beyond is unprecedented. This influence is at least twofold.
First, both judgments have abruptly changed the landscape of cross-border data protection relationships. In Schrems, the Court annulled Commission’s Decision of 26 July 2000 on the adequacy of the protection provided by the safe harbour privacy principles. This has forced the majority of American data controllers, who had self-certified to the US Department of Commerce their adherence to these principles, to search for another premise for transfers of personal data, such as binding corporate rules, model contractual clauses or simply individual’s consent. In Weltimmo, the Court – ‘in construing the coordinates of human rights protection in the digital age’ (as Zanfir puts it) – has further extended the range of competences of national supervisory authorities. They are now authorised, so to speak, to exercise supervisory powers over even those data controllers and processors who do not fall into their territorial jurisdiction due to lack of a ‘registered office or branch’ therein, but exercise ‘through stable arrangements in the territory of that Member State, a real and effective activity’ (§41).
Second, although this will not be any obvious conclusion from reading the respective texts of these judgments, these two cases have reinforced cooperation between European data protection authorities. This development particularly interests the PHAEDRA project consortium.
In Weltimmo, the Court made one of not-so-many such strong interpretations of Article 28(6) of Directive 95/46 (i.e. ‘supervisory authorities shall cooperate…’). The judges in Luxembourg argued that cooperation is ‘necessary in order to ensure the free flow of personal data in the European Union, whilst ensuring compliance with the rules aimed at protection of personal data of natural persons’ (§53) and even spoke about ‘the duty of cooperation laid down in Article 28(6)’ (§57; emphasis ours). But what struck our attention is that the Court not only made a distinction between investigative and adjudicative/enforcement jurisdictions (see the writings of Svantesson on this matter), but also reaffirmed that enforcement cooperation is an obligation. A supervisory authority ‘may exercise its investigative powers irrespective of the applicable law and before even knowing which national law is applicable to the processing in question’ (§57). However, in case ‘the law of another Member State is applicable, [the authority] […] must […] request the supervisory authority of that other Member State to establish an infringement of that law and to impose penalties if that law permits’ (§57; emphasis ours).
A reader would easily note the term ‘must’ was used in the context of the ‘duty of cooperation’. The fulfilment thereof, in the still-old regime of Directive 95/46, is rather problematic. The list of troubles is long, but one of the most pertinent is the absence of explicit and detailed legal provisions on cooperation at the European Union level or at a domestic one. Can supervisory authorities rely solely on Article 28(6)? This question should rather be rephrased as whether this provision had a vertical direct effect. Were it found unconditional, sufficiently clear and precise, its direct applicability could mean, inter alia, that an authority from one Member State must request its counterpart from another Member State to cooperate on a cross-border case and the latter must not refuse. (The Weltimmo decision tends to confirm so. The judgement concludes with a sentence that a supervisory authority ‘should […] request the supervisory authority within the Member State whose law is applicable to act’.) Or, speaking more bravely, a data subject might demand her supervisory authority to cooperate with the counterpart of the latter and none of them might refuse either.
Few readers would disagree that the Schrems judgment does not concern any aspect of cooperation between supervisory authorities. Yet, its ramifications simply constitute another impeccable example of the need to cooperate between supervisory authorities on a “general” or “abstract” level. (While in Weltimmo we analysed enforcement cooperation, this does not exhaust the range of cooperation activities supervisory authorities may engage in.) After each important data protection judgement arriving from Luxembourg – be it Digital Rights Ireland, Costeja or Schrems – the necessity to develop a common position both on the forum of the Article 29 Working Party and by all and every supervisory authority forced them to act. Concerning the latest ruling, in its statement of 16 October 2015 the Working Party directly indicated ‘it is absolutely essential to have a robust, collective, and common position on the implementation of the judgment’ (emphasis ours). A reader would easily note a plea for more unity.
Weltimmo and Schrems judgements are yet another set of decisions that have unprecedented consequences for the data protection landscape in Europe and beyond. The former case underlined both the significance of enforcement cooperation and the duty to cooperate between supervisory authorities. The consequences of the latter case once again forced these authorities to speak with one voice. In our opinion, both judgements reinforced cooperation mechanisms and pleaded towards their efficiency. Using the narrative of human rights, such efficiency is a means of practical and effective protection of personal data. What is now left on the agenda is to ensure efficiency of cooperation between supervisory authorities under the future regime of General Data Protection Regulation. Weltimmo and Schrems remain instructive here.
This news release and guidance document from the Danish DPA provides contextual background information on the declaration by the EU court of the invalidity of the Safe Habor agreement between the US and the EU on the transfer of personal data. The European Court of Justice (ECJ) had, on 6 October 2015, issued a judgement on a preliminary ruling by the Irish High Court, in a case between the Austrian citizen Maximillian Schrems and the Irish Data Protection Commissioner.
It further provides guidance on other legal arrangements for the transfer of personal data to the US (appropriate contractual provisions, the Commission’s model contracts, and binding corporate rules), and action being taken by both the Danish DPA and in concert with other EU DPAs.
On November 19, 2015, the French Data Protection Authority (CNIL) published a guidance, including a set of frequently asked questions, to assist companies that are transferring personal data to the U.S. pursuant to the Safe Harbor framework.
The CNIL clarified that the DPAs are still analysing the impact of the CJEU ruling on BCRs and EU Model Clauses, but have decided to allow companies to rely on them temporarily. In addition, in order to speed up the process, the French Data Authority pointed out that EU Model Clauses are the most suitable mechanism, since personal data must be protected immediately and the implementation of BCRs takes several months.
The guidance does not make any reference to other data transfer mechanisms in particular, to derogations (such as data subject consent), which always has been narrowly interpreted by the CNIL.
Besides, the CNIL stated that companies must amend their existing reports by the end of January 2016 to either declare that their data transfers to the U.S. have ceased, or even to specify that the data transfers will be based on another data transfer mechanism (EU Model Clauses).
Finally, the CNIL specified that in the absence of a Safe Harbour 2.0 for the beginning of next year, the European DPAs would assess the possibility of using their enforcement powers to suspend or forbid data transfers to the U.S.
On 22 October 2015, the Italian Data Protection Authority (GDPD) issued a provision following the recent judgment of the Court of Justice of the European Union in the case Schrems v. Facebook, which declared invalid the system set up under the Safe Harbour.
As a direct consequence, the GDPD has explicitly forbidden any data transfer between both countries. Thus, it might carry out inspections on the transfer at any time and, if necessary, to adopt effective measures provided under the Italian Data Protection Code. Besides, the implementation of other alternatives is encouraged in order to ensure compliance with the Italian regulations on the protection of personal data.
Finally, GDPD suggested some instruments to lawfully transfer the data of Italian citizens, i.e. Standard Contractual Clauses (SCC), Binding Corporate Rules (BCC) or the consent of data subjects.
The Hamburg Commissioner for Data Protection and Freedom of Information recently released a statement regarding the judgment of the European Court of Justice on the Safe Harbour scheme in the case Schrems v. Facebook. This statement provides useful guidelines and instructions addressed to businesses and practitioners on how the judgment should be interpreted and on the next steps this supervisory authority will take in order to ensure compliance with the ruling.