As policymakers in Washington and Brussels meet to discuss possible alternatives to the Safe Harbor in order to keep data flowing across the Atlantic, corporate privacy professionals are facing an immediate need to respond to the landmark decision in the Schrems case. Whether your company relied on Safe Harbor to transfer data for storage in the cloud, to process consumer orders, centralize HR administration, engage service providers or communicate with corporate affiliates, you now need a new solution, and you need it today. What do you do until the bigwigs hammer out a new deal for Safe Harbor 2.0? Execute dozens of model clauses? Engage pricey consultants to start your binding corporate rules? Rely on consent? Or perhaps lay low and wait for the storm to pass?

On October 6, more than 2,500 professionals registered to join an IAPP web conference featuring initial reactions on the day of the Safe Harbor decision. During that session, the IAPP received dozens of questions about next steps. We poured the questions into eight buckets, titled:

  • What does the ruling do?
  • What Now?
  • Timetable
  • BCRs and model clauses as alternatives
  • Enforcement
  • Potential solutions
  • Official responses and implications on foreign policy, and
  • Policy and related issues 

In this fourth in a series of five pieces, we feature answers provided to your questions by a panel of world-renowned experts. In this case, Olivier Proust of FieldFisher, addresses "official responses and implications on foreign policy."

Have more questions? Our experts will be available to answer them in person at the IAPP’s GDPR Comprehensive, February 22-23 in Brussels. Join them there for a special training event, to learn the new framework that is set to arrive at the end of 2015.

Official responses and implications on foreign policy

The Privacy Advisor: How is the U.S. responding to the ECJ opinion? What is the response from U.S. Department of Commerce (DoC)? 

Olivier Proust: The answer to that question depends on what is meant by "U.S." Do we mean the U.S. government, U.S. citizens, the DoC or U.S. businesses? What we've seen since the publication of the ECJ's decision is that it has sent a shockwave across the U.S. business community. Virtually every U.S. company that has relied until now on Safe Harbor to transfer its data from the EU to the U.S.  is now grappling to understand what it needs to do to comply with this decision, analyzing the risks now that Safe Harbor is invalid and re-assessing its data transfer options. From a U.S. perspective, the decision revoking Safe Harbor as a data transfer mechanism constitutes a serious blow for business and an impediment on EU/U.S. relations.

On the day the ECJ's decision was released, the DoC said in a public statement that it was "deeply disappointed" in the decision which "creates significant uncertainty for both U.S. and EU companies and consumers, and puts at risk the thriving transatlantic digital economy." For U.S. authorities, this judgment comes at a bad time because, in the eyes of the public (in Europe at least),  it makes the U.S. look bad. In reality, the EU and U.S. authorities have been discussing changes to the Safe Harbor program since 2013 and, according to some recent public statements, they are close to reaching an agreement on a new Safe Harbor.  

The DOC also published an advisory on the Safe Harbor website stating: “In the current rapidly changing environment, the Department of Commerce will continue to administer the Safe Harbor program, including processing submissions for self-certification to the Safe Harbor Framework."  From a procedural point of view, it is unclear how the DoC can continue to process submissions given that, in Europe, no DPA is going to authorize any transfers of data under Safe Harbor. But this may be a sign that the DoC is waiting to see how the ongoing discussions with the European Commission on a revised Safe Harbor framework will unravel and does not want to risk suspending the Safe Harbor certification process if a new deal is agreed in the near future.

The Privacy Advisor: What potential impact does the ECJ ruling on Safe Harbor have on U.S. government agencies?

Olivier: Strictly from a legal standpoint, it has none. The ECJ's ruling has no legal effect on U.S. government agencies because the ECJ's decision is only binding on the EU Member States. At a political level, however, the impact is important because it sends a clear message to the U.S. that Europe does not want U.S. government agencies snooping on EU citizens. Whether the ECJ's decision will have a direct impact on the way U.S. government agencies operate is difficult to say. It is unlikely to have any immediate impact because U.S. government agencies operate in accordance with the laws that are in force in the US. But as we have seen recently with the adoption of the USA Freedom Act, Edward Snowden's revelations have raised the public's awareness, and consequently, the question about access to data for law enforcement and national security purposes has now become a political issue. At a time where the U.S. is preparing to enter into a new presidential campaign, it will be interesting to see how the different candidates address this issue which goes well beyond data transfers between the EU and U.S., and raises some fundamental questions about civil liberties in a democratic society and how to maintain a fair balance between privacy and security.

The Privacy Advisor: What have been the reactions of European DPAs?

Olivier: At a European level, the Article 29 Working Party issued a public statement which says that the DPAs have discussed the consequences of the ECJ's decision. In summary, the WP29 states that "companies can no longer rely on Safe Harbor to transfer their data to the U.S." and that “transfers that are still taking place under the Safe Harbor decision are now considered to be unlawful." The WP29 has also given politicians until end of January 2016 to find a solution to the crisis. If no solution has been found until then (such as an agreement between the EU and U.S. authorities on a new Safe Harbor program), then “the DPAs are committed to take all necessary and appropriate actions, which may include coordinated enforcement actions."

Several DPAs have also made public statements at a national level, either in the press or on their websites. What comes out of these various statements is that the DPAs don't seem to be completely aligned on how to interpret the ECJ's decision, especially with regard to its impact that it has on other data transfer mechanisms such as the EU standard contractual clauses and BCRs. Some DPAs (such as those of Germany and the Netherlands) are saying that the EU standard contractual clauses and BCRs are also flawed and would also need to be revisited (which raises the question whether companies can rely on those solutions to transfer their data), while others (e.g., France, UK ICO, Belgian DPA) appear to be taking a much more pragmatic and business-friendly approach and are saying that companies can rely on the EU standard contractual clauses and the BCRs to transfer their data outside the EU.

What this shows is that this is not an easy situation and there seems to be a divergence in opinion between the DPAs. While the DPAs are obliged to enforce the Court's ruling on Safe Harbor, its ruling has also opened a broader discussion about international data transfers as a whole. Therefore, the challenge for the DPAs will be to ensure that they maintain a consistent and common position regarding these issues, without contradicting the upcoming provisions of the General Data Protection Regulation that is currently being debated by the EU co-legislators and is likely to be adopted at the end of this year.

The Privacy Advisor: Should we expect the Obama Administration and the DoC to act quickly on a diplomatic solution? Is there a diplomatic solution possible to an ECJ decision?

Olivier: Discussions at a political and diplomatic level have already been taking place for some time and long before the ECJ released its decision. Since 2013 when the European Commission issued its 13 points for restoring trust between the EU and U.S., representatives of the European Commission and the DoC have been discussing a revision of the Safe Harbor framework. The ECJ's decision is certainly going to accelerate the pace of these discussions and put pressure on the representatives on both sides to reach an agreement soon. Diplomatic discussions will also certainly continue to take place in the background. Whether a new Safe Harbor will be agreed upon soon is difficult to say. The Commission will want strong assurances from the U.S. on two key issues (namely access to personal data by government agencies and a right to judicial redress for EU citizens in the U.S.) before accepting a new Safe Harbor agreement.

The Privacy Advisor: To what extent does this decision jeopardize the validity of the Commission decisions on the adequacy of the protection provided by certain countries (Uruguay, Israel, Andorra, Canada, etc.)? What about the U.S.-Swiss Safe Harbor?

Olivier: The European Commission (EC) has answered this question in its Communication of 6 November 2015. Essentially, what the Commission says is that, although the scope of the ECJ's judgement is limited to the Commission's Safe Harbor decision, each of the other adequacy decisions contains a limitation on the powers of the DPAs that is identical to Article 3 of the Safe Harbor Decision and which the ECJ considered invalid. The Commission states that it "will now draw the necessary consequences from the judgment by shortly preparing a decision, to be adopted pursuant to the applicable comitology procedure, replacing that provision in all existing adequacy decisions." Also, the Commission will engage in a regular assessment of existing and future adequacy decisions, including through the periodic joint review of their functioning together with the competent authorities of the third country in question.

Regarding Switzerland, the situation is a bit different given that Switzerland has also put in place a specific Safe Harbor program for transfers of data between Switzerland and the U.S., which is largely based on the same principles as the EU-U.S. Safe Harbor program. Following the ECJ's decision, the Swiss Data Protection Authority (FDPIC) made a first public statement on October 7 on its website to say that the Swiss/U.S. Safe Harbor decision “is also called into question” by the ECJ decision. The FDPIC added, “As far as Switzerland is concerned, in the event of renegotiation, only an internationally coordinated approach that includes the EU is appropriate.”

On October 22, the FDPIC made a second statement which shows that it is siding with what the opinion of the WP29. Essentially, the FDPIC says that “as long as Switzerland has not renegotiated a new Safe Harbor Framework with the U.S., Safe Harbor cannot be deemed a valid legal mechanism for transferring personal data to the U.S.” It would seem, therefore, that without officially revoking the Swiss/U.S. Safe Harbor program, it is de facto no longer possible for Swiss-based companies to transfer personal data to the U.S. on the grounds of Safe Harbor. Without explicitly mentioning any enforcement actions, the FDPIC calls upon businesses who are transferring personal data to the U.S. to adapt their contracts with U.S. companies before the end of January 2016. The FDPIC will also coordinate with the EU DPAs to determine what other actions may be required to protect the fundamental rights of the individuals.

The Privacy Advisor: And is the CJEU ruling that Safe Harbor is invalid binding upon non-EU EEA members (Norway, Iceland, Liechtenstein)?

Olivier: Yes it is because these three EEA countries, although they are not a part of the European Union, have agreed to implement EU law in their respective jurisdictions and so they are legally bound by the decisions of the ECJ.