EU data protection authorities address the fall-out from Schrems and the US responds
At the end of last week, the Article 29 Working Party (comprising of representatives of the EU national data protection authorities, the European Data Protection Supervisor and the European Commission), issued a Statement on the implications of the European Court of Justice’s significant decision in Schrems, regarding the invalidity of the Safe Harbor framework.
As a re-cap, the European Court of Justice ruled earlier this month, that the Safe Harbor framework used since 2000, for the transfer of personal data from the European Economic Area to US entities was invalid, leaving thousands of US employers who rely on the framework unclear as to their options (for further details on the ECJ judgment, please read last week’s news alert here).
What was outlined this week in the Working Party Statement?
In summary, the Working Party is calling on Member States and European institutions to open discussions with US authorities to find solutions in order to enable US data transfer which respect EU citizens’ fundamental rights. Any solution will, at a minimum, need necessary oversight by public authorities, “on transparency, on proportionality, on redress mechanisms and on data protection rights.”
The Working Party will consider the analysis of the impact of the Schrems judgment on other mechanisms for transfer, confirming (helpfully) that in the meantime other methods of personal data transfer (i.e. standard contractual clauses and binding corporate rules) can still be relied upon. Although, it is worth re-stating (as mentioned in our previous alert on this topic), one of the federal German data protection authorities (ULD) has issued an opinion questioning the validity of standard contractual clauses, so their long-term viability as an alternative option remains questionable.
If by the end of January 2016, no solution has been found with the US authorities and depending on the assessment of the other transfer tools by the Working Party, the EU data protection authorities may take coordinated enforcement actions (although no further detail was provided in the Statement as to what this means in practice or the severity of any sanction).
What is happening in the US?
Across the Atlantic this week, the US House of Representatives has passed through a bill (the Judicial Redress Act of 2015) which could allow foreign citizens to bring civil actions against US government agencies for the purposes of accessing, amending, or redressing unlawful disclosures of records maintained by those agencies (to mirror the rights of its US citizens). The approval of the bill by the Representatives was particularly welcomed by the tech industry. The bill now moves to the US Senate for approval. It is hoped, in the US, that the new Act will help find a solution to the transatlantic transfer of personal data.
Does the Working Party Statement change the current uncertainty as to how US employers should be handling transatlantic personal data transfer from their EU subsidiaries?
Unfortunately the Statement does not provide a clear roadmap as to what businesses should do next, but it is of some comfort that the Working Party consider that standard contractual clauses (i.e. model clauses) and binding corporate rules can still be used, for now, although the validity of these will be assessed further.
The Working Party Statement encourages businesses to reflect on the eventual risks they take when transferring data and putting in place any legal and technical solutions in a timely manner. For those companies who rely on Safe Harbor, EU data protection authorities may contact them directly with relevant information, as well as providing information campaigns at a national level. So it really is a matter of keeping up-to-date with any announcements at an UK or EU level.
The Working Party has made it clear in their Statement that any Safe Harbor transfers that are still taking place are unlawful so, as we outlined in our news alert last week, US employers with UK or EEA subsidiaries who rely on the Safe Harbor framework should now assess what options are available to them to legitimise personal data transfer to the US in accordance with the Data Protection Directive.
US employers who transfer personal data across the Atlantic from their EU subsidiaries using Safe Harbor, should be actively revising the method by which they undertake this data transfer, if they have not done so already. The most prudent approach, whilst we wait for further guidance from national authorities and the EU is, as far as possible, to consider the extent to which employee personal data can be processed by EU based HR professionals and colleagues, whilst anonymising any employee data which has to be sent over to the US (further details can be found in our news alert here).