Data transfers after Schrems: discord in the EU
The EU Court of Justice's Schrems decision essentially declared the US-EU Safe Harbour to be invalid. However, the immediate practical consequences of Schrems remain unclear say lawyers at White & Case.
Tim Hickman, associate, White & Case
Will EU Data Protection Authorities (DPAs) take serious enforcement action against businesses that fail to replace Safe Harbour with a lawful data mechanism? When will that enforcement begin? If businesses switch to another lawful transfer mechanism, eg Model Clauses or Binding Corporate Rules (CRs), is there any guarantee that DPAs will recognise those transfer mechanisms as valid?
To address these questions, the Article 29 Working Party (WP29), a formal gathering of representatives from each of the EU DPAs, issued a press release calling for a political solution and a new EU-US framework agreement, sometimes called Safe Harbour 2.0. But in recognition of the fact that such a solution is likely to be some way off, the WP29 laid out some guidelines for businesses. In particular:
- There will be no enforcement actions until the end of January 2016.
- From that point onward, DPAs “are committed to take all necessary and appropriate actions, which may include coordinated enforcement actions.”
Unfortunately, the meaning of this last phrase is far from clear. Isabelle Falque-Pierrotin, the chair of the WP29, gave an interview in which she stated that all EU DPAs are essentially in agreement on how to proceed. However, public statements from DPAs reveal a rather different story.
Matthias Goetz, associate, White & Case >>
The UK Information Commissioner's Office (the ICO) opened by saying: “We're certainly not rushing to use our enforcement powers.” The ICO pointed out that the impact of Schrems is still being analysed, and noted that there is a possibility that agreement on Safe Harbour 2.0 might still be achieved. The ICO further suggested that businesses could continue to rely on their own adequacy determinations as a lawful basis for transferring personal data to the US. Consequently, the risk of enforcement in the UK appears comparatively low.
The French DPA (which is also headed by Isabelle Falque-Pierrotin) released a statement that, unsurprisingly, is essentially in line with the WP29's press release. That statement advises businesses to cease transfers of personal data made under Safe Harbour and to use Model Clauses or BCRs instead, at least until end of January 2016. The risk of enforcement in France appears moderate at present.
The DSK, a forum of cooperation between German State DPAs, published a position paper stating that transfers made on the basis of Safe Harbour are unlawful, and that German DPAs will take enforcement action against businesses that fail to implement lawful transfer mechanisms. However, the DSK also questioned the validity of transfers based on Model Clauses or BCRs, throwing the available options into doubt.
There also remain significant disagreements among the various German DPAs. In particular, the DPA for the State of Schleswig-Holstein (ULD) stated that, in its view, personal data cannot be transferred to the US on the bases of Model Clauses or BCRs, and even explicit consent may not be sufficient. The enforcement risk in Germany is very high and businesses should be extremely cautious when transferring personal data from Germany to the US.
The Polish DPA has advised that businesses can no longer rely on Safe Harbour. Curiously, the Polish DPA has said that although it will not start any enforcement proceedings until the end of January 2016, such enforcement action may relate to complaints received before that date. Therefore, the enforcement risk in Poland appears to be high, as a complaint could potentially be made at any time.
Philip Trillmich, partner, White & Case >>
Impact and outlook
The outlook in the EU is uncertain at the moment, and businesses that operate in multiple EU Member States may find themselves subject to conflicting requirements from the national DPAs. It is undoubtedly clear that Safe Harbour, at least in its present incarnation, does not provide a lawful mechanism for transferring personal data from the EU to the US. It is likely that Model Clauses provide the best alternative in the short term, and BCRs may provide a longer term solution. Safe Harbour 2.0 is some way off, and is not guaranteed to arrive at all. Businesses should therefore keep a close eye on these issues, as developments over the coming months are likely to prove enlightening.
Contributed by: Tim Hickman, associate; Matthias Goetz, associate; Philip Trillmich, partner, White & Case