As policymakers in Washington and Brussels meet to discuss possible alternatives to the Safe Harbor in order to keep data flowing across the Atlantic, corporate privacy professionals are facing an immediate need to respond to the landmark decision in the Schrems case. Whether your company relied on Safe Harbor to transfer data for storage in the cloud, to process consumer orders, centralize HR administration, engage service providers or communicate with corporate affiliates, you now need a new solution, and you need it today. What do you do until the bigwigs hammer out a new deal for Safe Harbor 2.0? Execute dozens of model clauses? Engage pricey consultants to start your binding corporate rules? Rely on consent? Or perhaps lay low and wait for the storm to pass?
On October 6, more than 2,500 professionals registered to join an IAPP web conference featuring initial reactions on the day of the Safe Harbor decision. During that session, the IAPP received dozens of questions about next steps. We poured the questions into eight buckets, titled:
- What does the ruling do?
- What Now?
- BCRs and model clauses as alternatives
- Potential solutions
- Official responses and implications on foreign policy, and
- Policy and related issues
In this first of a series of five pieces, we feature answers provided to your questions by a panel of world-renowned experts. In this case, attorneys Ruth Boardman—a member of the IAPP's GDPR Comprehensive Faculty, and James Mullock address both enforcement of the Safe Harbor ruling and some potential solutions.
Have more questions? Our experts will be available to answer them in person at the IAPP’s GDPR Comprehensive, February 22-23 in Brussels. Join them there for a special training event, to learn the new framework that is set to arrive at the end of 2015.
In the EU, participation in Safe Harbor has not been ruled illegal—it is instead no longer considered an "adequate" method of transferring data to U.S. Neither has Safe Harbor been abolished. So provided that companies take other steps to ensure transfer adequacy, retaining general references to Safe Harbor will not of itself incur sanctions.
The Privacy Advisor: Will penalties be imposed upon organizations that continue to transfer data with no safeguards or U.S. Safe Harbor?
James Mullock & Ruth Boardman: At present, the majority of EU data protection authorities have made it clear that immediate enforcement is unlikely, at least until they have jointly discussed their approach via the Article 29 Working Party (which published a statement last week signaling a likely enforcement grace period until January 2016 to allow time for EU/US administration discussions regarding the agreement of 'Safe Harbor 2.0' to develop). We would hope that once a final decision as to approach has been taken, regulators will allow time for organizations to put alternative measures in place, but precise timings are currently unclear.
Prior to this decision, there had been little public enforcement of EU data transfer obligations. Given the court's comments, we think that we can now expect transfer compliance to attract much greater scrutiny. Certain EU regulatory bodies (particularly in Germany) are seriously unhappy about the activities detailed in the Snowden revelations—they have been casting doubt on the validity of Safe Harbor since the revelations were made. They will now feel vindicated, but we doubt they will feel fully satisfied. It's also worth adding that some transfers are inherently more likely to attract future scrutiny (as well as a higher risk of sanctions). For instance, transfers which involve sensitive categories of data or those involving exporters or importers whose data is known to have found its way into the PRISM initiative. Even outside of these categories, the less effort that is made to comply with data transfer principles the higher the risk of sanction if this is discovered.
The Privacy Advisor: What effect, if any, will the Safe Harbor invalidation decision have on existing FTC Consent Decrees involving companies that violated the Safe Harbor for failing to re-certify with Safe Harbor? Will the FTC dissolve or void those consent decrees because Safe Harbor is no longer valid?
James & Ruth: It is currently difficult to predict how the FTC will react. But given the ongoing attempts to agree on "Safe Harbor 2.0" may incentivize the imposition of existing FTC sanctions. Certainly, any entity currently subject to a consent order should not assume that its obligations fall away unless and until the FTC communicates otherwise.
The Privacy Advisor: If companies do not remove Safe Harbor from their privacy policies, are they at risk for enforcement?
James & Ruth: In the EU, participation in Safe Harbor has not been ruled illegal—it is instead no longer considered an "adequate" method of transferring data to U.S. Neither has Safe Harbor been abolished. So provided that companies take other steps to ensure transfer adequacy, retaining general references to Safe Harbor will not of itself incur sanctions. Indeed, one could argue that complying with the Safe Harbor principles remains a positive step for U.S. companies to take even if it doesn't provide immediate transfer compliance. What would be particularly risky would be claiming to adhere to the Safe Harbor principles when your company does not, whilst also failing to put in place other measures to address European data transfer requirements. Both the FTC and EU regulatory authorities might bring enforcement action in these circumstances.
The Privacy Advisor: Could the FTC go after companies for committing deceptive trade practices by stating they participate in a program that effectively no longer exists?
James & Ruth: The Safe Harbor continues to “exist,” albeit not as an “adequate” method of transferring data to U.S. The Safe Harbor website of the Department of Commerce is still up and companies can continue to self certify or re-certify as Safe Harborites. At its core, self-certification under the Safe Harbor means a corporate undertaking to comply with a set of substantive data protection principles, which continue to be valid. While the FTC has not yet issued a statement on its enforcement of the Safe Harbor after the CJEU decision, it could conceivably pursue a company for reneging on its promise to comply with these data protection principles, even though compliance will no longer, in and of itself, be sufficient to authorize data transfers from the EU to the U.S.
The Privacy Advisor: Is it safe to say that individual DPAs now have authority on data transfer? Is working with each DPA that an organization operates within a possible temporary solution to the lack of Safe Harbor?
James & Ruth: Regulators are currently hoping to put in place a unified response through the Article 29 Working Party. The European Commission, too, is likely to take steps to save face in light of this setback. If a “Safe Harbor 2.0” agreement is not reached quickly (say by December) it will be very interesting to see whether every EU regulatory authority feels able to commit to the same, single approach to enforcement in the short term (see, for example, the German ULD DPA's response discussed in the answer to the next question).
In practice, given that Standard Contract Clauses (SCCs) and other mechanisms already require approval in a number of EU countries and to head off the risk of DPA fragmentation, companies should be prepared to assess and to deal with issues on a country by country basis. While it’s possible many U.S. readers will groan at the prospect, if the European Commission does not show prompt leadership on the agreement of viable alternative transfer mechanisms, there is a very real risk that different EU DPAs will take different approaches to data transfer enforcement in 2016. As those of us old enough to recall the birth of Safe Harbor 1.0 remember, viable alternative mechanisms tend not to be created overnight.
The Privacy Advisor: What alternatives to Safe Harbor apply if the underlying basis is that the U.S. Intelligence undermines the “adequate protection”? Are contractual remedies really viable to addressing this type of inadequacy?
James & Ruth: The viable short-term alternatives depend on which interpretation of the judgment is adopted by regulators. On a narrow reading of the judgment, Safe Harbor was found invalid due to procedural failings by the European Commission in putting in place its decision and U.S. enforcement weaknesses in relation to PRISM. However, a broader reading would take into account both the court's comments that individual DPAs have the authority and an obligation to review the adequacy of transfers irrespective of Commission decisions and comments on the lack of redress offered to individuals in relation to privacy breaches by state institutions under U.S. law.
If this wider reading is adopted by DPAs and/or the European Commission, it could lead to the use of SCCs with U.S. organizations being undermined. Given that the SCC provisions allow individuals stronger enforcement rights than those granted under Safe Harbor, this ought to have a better defense against a Schrems-lookalike challenge. But, at least one regulator (the DPA for the ULD region in Germany) has already expressed the view that the CJEU's decision permits it to disallow the use of SCCs and consent for the transfer of personal data to the U.S.
It remains to be seen if other regulators will follow this hard line view.
Last week’s Article 29 Working Party (A29WP) statement noted that SCCs would provide a valid adequacy mechanism at least whilst it considers the Schrems judgment—not exactly a bullet-proof endorsement, but at least the A29WP followed the ECJ in not jumping to shoot down SCCs and BCRs as many feared they would.
If SCCs are widely declared to be invalid for U.S. transfers, alternative options will need to be swiftly made available by the Commission if it does not want to be responsible for EU to U.S. trade grinding to a halt—not to mention putting wind in the sales of Eurosceptic commentators in countries such as the U.K., which will shortly vote on whether to stay in the EU.
Aside from contractual obligations, obtaining consent for transfers from affected individuals is an option (see the answer to question on opt-in consent below). Also, certain countries, such as the U.K., have implemented data transfer laws to allow exporting controllers to self-assess the adequacy of their international transfers. The UK regulator in particular has issued renewed guidance on data transfers that sets out key issues for the exporter to consider in applying self-assessment and it can be expected that this option will prove extremely helpful for those in the U.K. addressing Safe Harbor's removal.
Long-term compliance solutions such as Binding Corporate Rules or relocating servers to the EU or countries such as Canada, whose laws have been designated adequate, are other options to consider.
The Privacy Advisor:What should companies do to ensure their scrutiny of government requests for information are valid, proportionate, etc., as identified in the decision invalidating Safe Harbor?
James & Ruth: There is likely to be little that a company can do if it receives government requests for information to avoid being caught between the rock of such a request, and the hard place that is EU data protection law. Certainly, companies should insist that any local law procedures for requesting data are followed and documented and that requests outside of these formal procedures are resisted. They should also review staff and customer facing documentation to ensure that they bring advanced notice of the possibility of such disclosures to the attention of individuals, and ideally obtain prior consent from those individuals. Following receipt of a request, to the extent possible they should also try to identify and limit data to be disclosed to the specific relevant scope. It is not realistic to expect most companies to have the leverage or resources to resist or seek to restrict disclosure requests made by local law enforcement or national governments in the face of potentially severe sanctions.
The Privacy Advisor: If a U.S. client has explicit opt-in consent from its customers in the EU, will that be adequate protection?
James & Ruth: Consent is allowed in some countries as an exemption to the obligation to ensure adequate protection. Whether it is a workable solution will depend on local regulators, but for the vast majority of companies and data transfers it will not be a workable solution: some EU regulators set very high standards in obtaining valid consent, be that regarding the form in which it is obtained or in the relationship between the parties. One individual's refusal to consent will likely cause considerable inconvenience. It seems that making a service contingent on consent cannot be a long-term solution—the leaked trilogue compromise text on the GDPR retains a provision that will make it impossible for controllers to make service provision contingent on consent to processing in a certain way.
The Privacy Advisor: Can vendors who have an EU presence receive data from clients in the EU and then transfer from vendor-EU to vendor U.S. and then act like this is an internal corporate transfer?
James & Ruth: Not currently, unless the vendor has put in place BCRs for processors. SCCs require a direct contract to be put in place between the controller exporting client and the vendor U.S. data importer. Where a vendor EU entity stands contractually between the two, either separate SCCs need to be put in place outside of the existing contractual arrangement, or framework SCC arrangements need to be put in place. In this second solution, the vendor EU entity could sign controller to processor SCCs with its US group company acting as an agent on behalf of its customers. This then would require specific authorization from the EU client to be built into the Master Service Agreement. Filing or authorization obligations, where they exist, would still remain with the EU client. The A29WP did propose a new set of SCCs last year to unlock this scenario, but the adoption of these has not yet been fully finalized by the European Commission.
The Privacy Advisor: How does the ruling impact the continuing transfers "necessary to performance of a contract" exception?
James & Ruth: The ruling does not itself have any impact on the ability to claim this exemption. However, we do expect the ruling to lead to more companies considering this as an alternative. Exporters should be aware that they would need to show that the transfer was necessary to perform the contract—if the service is only located outside the EEA because of an EU controller's decision to base a service abroad, this is very unlikely to be sufficient.
The Privacy Advisor: From the point of view of small companies, considering cost, uncertainty and resources needed to understand the significance of the ruling, would you advise letting the Googles, Amazons and Facebooks lead the way here?
James & Ruth: No. Small companies should not panic, but they should start to consider what is right for their business and their customers and staff. They should allow time for DPAs to take a coordinated response if business pressures allow, and use the time now to start mapping the transfers they make, the data involved and work out which alternative transfer option to SH works best for their organizations. But European customers and regulators will expect a coherent strategy and won't likely take kindly to a delayed response.
If you want to comment on this post, you need to login.