1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar

Safe Harbor fallout: where are we now?

As we all know, the EU decided to invalidate Safe Harbor on 6 October 2015.  Please see our Insight article and blog post for a quick recap.  But what has happened since?

Article 29 WP Guidance

The most significant guidance is from the A29 WP.  The key points were:

  • International data transfers from Europe based on Safe Harbor are now unlawful;
  • Model Clauses (also known as Standard Contractual Clauses) and Binding Corporate Rules (BCRs) can still be used.  However they are under review and do not prevent individual DPAs from investigating particular cases;
  • By the end of January 2016, if no appropriate solution with the US authorities is found, EU DPAs will take “appropriate actions” (= enforcement?)
  • For more information on the Working Party statement, please see our blog post.

What do DPAs say?

Most EU DPAs have now issued statements on Safe Harbor.  Many welcomed the decision!

The UK approach is “don’t panic”.  The ICO has said that there are alternative mechanisms to Safe Harbor and recommends model clauses.

The French DPA (the CNIL) calls on companies to implement model clauses to transfer data to the US but doesn’t reference other transfer mechanisms such as BCRs or the derogations (e.g. consent).  The CNIL also re-affirms the Working Party position on possible enforcement in due course.

The most extreme position comes from the German DPA for the Schleswig-Holstein.  It disagreed with the Working Party opinion and said that neither model clauses nor consent provide a legal basis for data transfers.  However, the joint position paper of the German Federal State DPAs simply said that German DPAs will not issue “new approvals” on the basis of BCRs or data export agreements.  This is certainly “drawing a new line in the sand”.  In addition, this has slowed down German approvals of BCRs and any approvals of transfer agreements (where approval is required).  However, provided you use the standard Model Clauses, no approval is required in Germany.

What are companies doing in practice?

Companies are seeking to address the issue proactively.  Some are conducting assessments to identify what data is being transferred internationally.  Others are incorporating this within global privacy audits and programmes.  As a minimum, companies are implementing model clauses both intra-group and with vendors.  There is usually a need to prioritise the larger transfers of more sensitive information and the bigger vendor offerings to get the job done.  As we know, many vendors are offering pre-signed Model Clauses.  These need careful review.  Some strike a fair balance between strict legal requirements and a pragmatic approach but some go further.

What’s next?

We are told that the new Safe Harbor deal is imminent. But we are living in a time of uncertainty.  So risk-based decisions are required.

As you’ll have seen, the final GDPR text was released this week too!

A little more holiday reading….

Safe Harbor fallout: where are we now?

EU Data Protection Reform: LIBE agrees!

The EU Parliament LIBE Committee has approved the Data Protection Reform package as reported by Privacy Laws and Business today.   For more, read our piece from yesterday’s story.


EU Data Protection Reform: LIBE agrees!

Safe Harbor: A29 Statement Released on “What’s Next?”

The Article 29 Working Party has, today, published its Statement following the Safe Harbor decision last week. It’s been confirmed that Model Contracts (a.k.a. Standard Contractual Clauses) and Binding Corporate Rules can still be used.

The DPAs also say that “it is absolutely essential to have a robust, collective and common position on the implementation of the judgement”. Similarly, Giovanni Buttarelli, European Data Protection Supervisor said he was “largely optimistic” (as just reported by the IAPP) about the future of cross‑border data transfers with the US.

Further, the Working Party is urgently calling on member states and EU institutions to open discussions with the US authorities to find political, legal and technical solutions to enable data transfers to the US. Clearly this is key.

Confirmation on Safe Harbor

As per last week’s Court Decision, Safe Harbor is invalid: No news here!

Can alternative transfer tools be used?

Yes! The Working Party says that Standard Contractual Clauses and Binding Corporate Rules can still be used. This was the line taken by the ICO last week.

However, pending agreement of upgraded arrangements for data transfer with the US, the Working Party says it will continue “its analysis on the impact of the CJEU judgment on other transfer tools”.  If, by the end of January 2016, no solution is found with the US authorities and, depending on the assessment of other transfer tools by the Working Party, the EU DPAs are “committed to take all necessary and appropriate actions, which may include coordinated enforcement actions”.

This sounds like a grace period until the end of January for those who previously used Safe Harbor while retaining local DPAs rights to investigate and exercise powers based on particular concerns or complaints. Clearly, that will depend on local regulatory policy and culture.

A new deal with the US?

It’s clear from the Statement today that the Working Party follows the Court view on mass surveillance and compatibility with EU law. The Working Party is saying that a new deal with the US would involve political, legal and technical solutions in order to secure respect for fundamental rights (i.e., data protection). It also suggests that solutions could be found through the negotiation of an intergovernmental agreement that provides stronger guarantees for EU data subjects. So this is a broader issue that the current negotiations around a new Safe Harbor 2.0 although that could be “a part of the solution”. The Working Party is likely also looking for new law on oversight of surveillance and EU citizens’ data rights as minimum requirements.

What do we make of this?

The Statement is clearly the result of competing views on what should happen next. It gives a clear statement that Model Contracts and BCRs can still be used (good news). But it is a complicated picture. However, this doesn’t change our earlier recommendation that companies should identify data flows previously covered by Safe Harbor, assess the priority level and consider implementing one of the other solutions. Much will depend on the nature of your business, the data being transferred and the regulatory risk in particular jurisdictions in order to best assess next steps.

Safe Harbor: A29 Statement Released on “What’s Next?”

Safe Harbor Decision today!

Today, the Court of Justice of the European Union (CJEU) handed down its ruling in relation to the Schrems case. As you will have heard, the Court decided that local DPAs should be entitled to investigate matters (regardless of there being a Commission Decision applicable) and, more importantly, that the Commission Decision on Safe Harbor is, in fact, invalid.

DPA rights to investigate

We had all assumed that if a data transfer was subject to Safe Harbor then that was it. You would not have expected a local DPA to investigate Safe Harbor as that was an official decision and it should be up to the Commission to investigate or upgrade it as required.  Then came Snowden. That put Safe Harbor under the microscopic of course.

As a result of Snowden revelations, the Commission has been negotiating with the US for an upgrade to the privacy principles and FAQs. The Court, however, decided that if you read the Data Protection Directive (the famous Article 25 in particular) together with the EU Charter of Fundamental Rights, this must mean that DPAs can investigate Safe Harbor data exports.

In one sense, this turns DPAs into quasi-judicial bodies. More generally, it reflects the two key changes influencing the Court’s thinking here: (i) the Snowden revelations; and (ii) the higher standards imposed by the Charter. Neither of these factors were, presumably, in the Commission’s “corporate mind” when the Safe Harbor Decision was published, way back in 2000. The Charter, in particular, is featuring more frequently in EU data protection case law.

Safe Harbor decision

The Court raised a number of criticisms of the Commission’s original Decision. The Court highlighted that:

  • no consideration had been given to domestic US law as to whether it provided adequate protection for data;
  • the carve out for access to data for national security, crime prevention and other purposes was too broad; and
  • there was no appropriate remedy for EU citizens.

In other words, there were architectural defects in the Safe Harbor regime.  These concerns were brought to light by the surveillance revelations of Edward Snowden.

Should we panic?

No!  However, it is time to think carefully about putting alternatives to Safe Harbor in place (e.g. model contracts or BCRs).  The ICO accepts that this will take time.

Interestingly, the Commission was at pains to point out in their press conference this afternoon that they value international trade and that data flows with the US should continue.  So this is not about “pulling up the digital drawbridge”.  In particular, they have indicated that there will be guidance published to ensure business has certainty and clarity going forward.  They were also keen to point out that the “Safe Harbor 2.0” currently being negotiated is well advanced but that they need a little more time to sort out the national security issue.  Let’s wait and see.  The sooner the better

We are publishing a fuller analysis of the decision tomorrow.  Please contact me if you would like a copy.

Safe Harbor Decision today!

EU-US Data Flows: Bridging the Cultural Divide?

After four years of negotiations, the EU and US have reached an agreement that will protect EU citizens’ personal data when shared for law enforcement purposes. The “Umbrella Agreement” covers all personal data (e.g. names, address, criminal convictions) exchanged between the EU and the US for the prevention, detection, investigation and prosecution of criminal offences, including terrorism. Crucially, it must not be used for further incompatible purposes. This will be a welcome development after Edward Snowden’s revelations of US government snooping on EU citizens in 2013. The agreement aims to “rebuild trust in EU-U.S. data flows” by putting in place “a comprehensive high-level data protection framework” between EU and US law enforcement bodies.

However, the EU Commission has said that it will not sign the agreement until the US passes legislation giving EU citizens the same “right to judicial redress” which US citizens enjoy. This will not only cover situations where EU citizens’ personal data is shared with US authorities, but also where US authorities deny access or rectification to EU data citizens, or unlawfully disclose their personal data to third parties.

The Umbrella Agreement has received strong backing from the US tech sector and privacy lobbyists alike. It may even help smooth the way for concluding the Safe Harbour negotiations. In the press release on the Umbrella Agreement, the European Commissioner Věra Jourová said that she is “also confident that we will be able to soon conclude our work on strengthening the Safe Harbour Arrangement for exchange of data for commercial purposes. We continue to work with determination with our US counterparts on the final details”.

For more information on the US-EU Umbrella Arrangement, see the EU Commission’s press release and Q&As.

EU-US Data Flows: Bridging the Cultural Divide?