In addressing the world’s data protection authorities last week at the International Privacy Conference in Amsterdam, European Commissioner Vera Jourová referenced the 16th century poet John Dunne to note that, “No man is an island. Europe is not, and never will be, a digital island. Personal data has grown to become a currency fueling our markets and economies.”
However, now a month out from the Schrems decision by the European Court of Justice (ECJ), invalidating Safe Harbor, it may be the end of that poem that most resonates: For whom does the bell toll? “It tolls for thee,” transatlantic negotiators.
Yes, both the Commission and its counterparts across the Atlantic, the U.S. Department of Commerce, are hearing bells of urgency tolling throughout the business world, with the likes of the Computer & Communications Industry Association estimating a potential negative impact of more than one percent of EU gross domestic product if a structural solution isn't agreed to.
It’s why Jourová promised Commission guidance in short order last week and why it’s no surprise they delivered this morning, with a 15-page document outlining the Commission’s interpretation of the Schrems ruling and its interpretation of the data-transfer options that remain on the table: binding corporate rules (BCRs), standard contractual clauses and the derogations of the 95 Directive.
“Transfers of personal data are an essential element of the transatlantic relationship,” reads the document’s opening. “The EU and the United States are each other's most important trading partners, and data transfers, increasingly, form an integral part of their commercial exchanges.”
In a press conference accompanying the release of the document, however, Jourová made sure to note that “it takes two to tango” and that “personal data cannot be traded like a standard commodity … when transferred abroad, its protection needs to travel with it.”
Perhaps that’s why those looking for definitive answers about data transfers to the U.S. might be disappointed by the guidance. As a reflection of the legal uncertainty that has dominated the aftermath of Safe Harbor’s invalidation, the Commission’s document is full of equivocation.
First, it notes up front that the document is “without prejudice to the powers and duty of the DPAs to examine the lawfulness of such transfers in full independence” and that the communication “does not lay down any binding rules and fully respects the powers of national courts to interpret the applicable law and, where necessary, to make a reference to the Court of Justice for a preliminary ruling. Nor can this Communication form the basis for any individual or collective legal entitlement or claim.”
Even when the document seems to make definitive statements, there are often quickly supplied caveats. For example, DPAs, Commission notes, “may not refuse the transfer of the data to a third country on the sole basis that these SCCs do not offer sufficient safeguards.” However, that's followed up by, “This is without prejudice to their power to examine these clauses in the light of the requirements set out by the Court in the Schrems ruling. In case of doubts, they should bring a case before a national court, which in turn may make a request for a preliminary ruling to the Court of Justice.”
Similarly, the Commission writes, “If the clauses have been used without amendment, the authorization is in principle automatically granted.” But, that is said “without prejudice to additional measures the data exporter may have to take, in particular further to information received from the data importer on changes in the third country's legal system that may prevent the data importer from fulfilling its obligations under the contract. In the application of SCCs, both data exporters and, by subjecting themselves to the contract, data importers fall under the supervision of DPAs.”
Finally, there is this caveat in the finish: “In particular, both the SCCs and BCRs provide that if the data importer has reasons to believe that the legislation applicable in the recipient country may prevent it from fulfilling its obligations, it shall promptly inform the data exporter in the EU. In such a situation, it is up to the exporter to consider taking the appropriate measures necessary to ensure the protection of personal data.”
Does a data importer in the U.S. have reason to believe that legislation in the U.S. would prevent it from fulfilling obligations to protect EU citizen data? Businesses might be excused for thinking that’s the very question everyone is grappling with.
And it’s why they’re likely in agreement with European Commission VP Andrus Ansip when he says, “We need an agreement with our U.S. partners in the next three months … While alternative tools exist, a safer new framework is the best solution to protect our citizens and cut red tape for businesses, especially start-ups.”
Does the guidance make businesses feel more confident in their practices in the meantime? Early returns are positive.
The App Developers Alliance released a statement welcoming the guidance, saying, “Small businesses and startups desperately needed more legal certainty.” Further, they read the document to say BCRs and standard contractual clauses are “still viable.” However, while the guidance is a “step forward,” they write, “it does not fully replace Safe Harbour.”
If you want to comment on this post, you need to login.