As policy-makers in Washington, DC, and Brussels meet to discuss possible alternatives to Safe Harbor in order to keep data flowing across the Atlantic, corporate privacy professionals are facing an immediate need to respond to the European Court of Justice's (ECJ's) landmark decision in the Schrems case. Whether your company relied on Safe Harbor to transfer data for storage in the cloud, to process consumer orders, centralize HR administration, engage service providers or communicate with corporate affiliates, you now need a new solution, and you need it today. What do you do until the bigwigs hammer out a new deal for Safe Harbor 2.0? Execute dozens of model clauses? Engage pricey consultants to start your binding corporate rules? Rely on consent? Or perhaps lay low and wait for the storm to pass?
On October 6, more than 2,500 professionals registered to join an IAPP web conference featuring initial reactions on the day of the Safe Harbor decision. During that session, the IAPP received dozens of questions about next steps. We poured the questions into eight buckets, entitled:
- What does the ruling do?
- What now?
- Timetable
- BCRs and model clauses as alternatives
- Enforcement
- Potential solutions
- Official responses and implications on foreign policy
- Policy and related issues
In this second installment of a five-piece series, we feature answers provided to your questions by a panel of world-renowned privacy professionals. In this piece, Hogan Lovells' Eduardo Ustaran, CIPP/E, a member of the IAPP GDPR Comprehensive Faculty, addresses "what now?" and BCRs and model clauses.
Have more questions? Our contributors will be available to answer them in person at the IAPP’s GDPR Comprehensive, February 22-23, in Brussels. Join them there for a special training event to learn about the new framework that is set to arrive at the end of 2015.
What Now?
The Privacy Advisor: Is the ECJ ruling appealable?
Eduardo Ustaran: No. The decisions of the ECJ are final and cannot be appealed.
The Privacy Advisor: What immediate actions should organizations take, and what should they do with respect to existing transfers and those in progress that were based on the Safe Harbor premise?
Eduardo: All such transfers—whether they are intragroup or to service providers—should be immediately identified by carrying out a data transfer assessment. Following that, organizations should prioritize key transfers for the business by reference to the nature of the data and its use and determine the most appropriate mechanism to legitimize such transfers.
The Privacy Advisor: Should organizations that self-certified compliance with Safe Harbor update their privacy policies in light of the ruling?
Eduardo: To the extent that a privacy policy identifies Safe Harbor as the mechanism which is relied on to legitimize data transfers, that should be amended and replaced by an alternative basis.
The Privacy Advisor: What should organizations do with regard to Safe Harbor-certified third-party service providers?
Eduardo: Organizations should review any existing contracts for references to Safe Harbor and determine whether the relevant vendor is offering a suitable contractual option or is able to rely on a Processor BCR.
The Privacy Advisor: Should organizations that have a renewal of recertification coming up for their Safe Harbor certificate renew or not renew?
Eduardo: Organizations should only consider renewing their Safe Harbor certification if they plan to carry on relying on Safe Harbor as a privacy framework, but this will not do away with the need to find an alternative basis to legitimize data transfers from the EU to the U.S.
The Privacy Advisor: What happens to service contracts signed based on EC Standard Clauses that additionally mention that the U.S. partner is Safe Harbor-certified. Are these contracts still valid under the new situation?
Eduardo: Those contracts are indeed valid, but will exclusively rely on the adequacy of the standard contractual clauses to legitimize such transfers.
BCRs and Model Clauses
The Privacy Advisor: Are any data transfer agreements between EU and U.S. companies based on the "EU model clauses," and not Safe Harbor, influenced by the ECJ decision?
Eduardo: Yes, they are, because Safe Harbor was declared invalid as an adequate mechanism to legitimize data transfers because of its inability to deal with U.S. government access to data in a way that respected EU data protection rights. The same weakness could potentially apply to the EU model clauses. For that reason, it is important to consider what else will be necessary to address that potential exposure.
The Privacy Advisor: If a company goes with model contracts, will it need to execute a separate contract for each customer?
Eduardo: Yes. Service providers will be required to enter separate contracts with each of their European customers providing them with data.
The Privacy Advisor: Please explain the pros and cons of model contracts?
Eduardo:
Pros
- They are freely available and no substantial drafting is required.
- They are preapproved by the European Commission as a lawful transfer method, and so far, they have not been challenged by the EU data protection authorities.
- The applicable filing formalities are relatively straightforward. They are particularly suitable for one-off transfers.
Cons:
- They are cumbersome as they include very strict nonnegotiable requirements.
- They are unworkable for multiple and evolving transfers.
- They are subject to administrative requirements in most of the EU.
- Because of their strict nature, there is a risk of nonobservance of their provisions by data importers.
- They are potentially subject to the same challenges that caused the invalidation of Safe Harbor.
The Privacy Advisor: If the ECJ invalidated Safe Harbor in part on the amount of access that U.S. law enforcement/national security authorities have to EU citizens’ data—so much that the Safe Harbor does not protect the fundamental rights of EU citizens’ protection of data—are BCRs and model contracts even a viable alternative to Safe Harbor? It seems the ECJ’s concerns for Safe Harbor apply to BCRs and model contracts as well.
Eduardo: Potentially, the same weakness affecting Safe Harbor could apply to the EU model contracts and BCRs, if they do not include a suitable way of dealing with requests for access to data by public authorities.
The Privacy Advisor: Are we likely to see a challenge to model contracts and/or BCRs?
Eduardo: Some data protection authorities may question the effectiveness of model contracts—less so in relation to BCRs. Therefore, it is key that whichever mechanism is relied on to legitimize international data transfers, it includes measures to ensure that the provision of data to public authorities is reasonable and in line with European data protection.
photo credit: Marina del Rey California via photopin (license)