European businesses have always needed to tread carefully in relation to exporting personal data outside the European Economic Area (EEA). This has never been more true than recently when data export became the biggest issue in data protection.
The cat was set among the pigeons in October 2015 when the European Court of Justice (ECJ)invalidated the export of personal data to the US via safe harbour and has been shrouded in uncertainty ever since. The Commission’s new deal on ‘safer harbour’ with the privacy shield has not provided the certainty hoped for and many businesses and lawyers are left scratching their heads as to what they can now do and not do.
Free movement of goods underpins the operation of the EU and means that, provided the requirements on fair and lawful use are met, personal data can be exported throughout the EEA without formality. This is not the case in relation to exporting personal data outside the EEA. Unless the country is on the list of those which the Commission considers provide adequate protection for personal data (which is not a long list), the EU Data Protection Directive (95/46/EC) and the Data Protection Act 1998 set out some fairly prescriptive hoops which businesses have to jump through to legitimise their data export.
The most common ways used to export personal data outside the EEA under this legislation are:
- EC model clauses: Currently, probably the most pragmatic and efficient approach for businesses to lawfully transfer data outside the EEA, is by entering into standard contractual clauses known as ‘model clauses’. The European Commission has approved four sets of model clauses as providing an adequate level of protection. Two sets relate to data controller to data controller transfers and the other two sets relate to transferring personal data to a processor (controller to processor clauses). These must be used in pretty much an unaltered form to ensure compliance. A disadvantage of this approach is that model clauses are unavailable in a processor-to-processor situation.
- Binding corporate rules: Another approach is for a company to implement binding corporate rules (BCRs) throughout its group. All group companies agree to abide by minimum standards in the handling of personal data. BCRs are, however, time consuming and expensive to implement and are restrictive because they can only be used by multinational organisations transferring information outside the EEA within their group. They also need to be approved by the relevant data protection authority.
- Safe harbour: This was a widely used way to export data to the US. If a US-based business had signed up to the safe harbour self-certification scheme which required certain minimum standards to be observed in relation to personal data it was possible to export the data to that business without further formality.
- Consent: Businesses could, of course, legitimise the transfer of data from the EU to the US by directly seeking the consent of the data subject. Although it could be tempting to use consent as a quick fall back solution, consent may in practice be difficult to use for repeated and systematic data transfers. It is also likely to be extremely difficult to do retrospectively in respect of data which has already been transferred. Also, consent can be withdrawn at any time, which gives rise to practical difficulties in relying on it. This is always a drawback with consent in the data protection context.
- Self-assess adequacy: Businesses can complete their own risk assessment to decide whether there is adequate protection for the rights of individuals, in all the circumstances of the transfer. This involves consideration of a wide range of factors and it is a risky approach as it does not automatically mean compliance with Principle 8 of the Data Protection Act. It is therefore not widely used.
Invalidation of safe harbour
The big development in this area has arisen as a result of action taken by an Austrian law student, Max Schrems, in relation to the inadequacies of safe harbour.
The safe harbour scheme was used by a large number of businesses to export data to the US. It meant that even the smallest businesses could, for example, take advantage of cloud solutions or outsource their backroom services without having to jump through expensive legalistic hoops such as putting in place the model clauses or getting consent from each person affected.
Safe harbour was never popular with privacy campaigners, however, as the fact that it was a self-certification scheme meant that there had long been concerns over the lack of oversight and redress. Many didn’t think that it gave meaningful protection to individuals whose data was exported under it and there had even been calls for it to be suspended by the European Parliament in March 2014. Negotiations were therefore already on-going to come up with ‘safer harbour’ when Mr Schrems brought his case.
Why was safe harbour challenged?
The case was brought by privacy campaigner Max Schrems following the Snowden revelations. Mr Schrems had a Facebook account with the European arm of Facebook, headquartered in Ireland. Facebook shared data with its US counterpart and Schrems objected as he was concerned that US security services would get access to his personal data. He requested that the Irish Data Protection Commission audit material that Facebook might be passing on. The Commission declined to do this because it declared itself satisfied that safe harbour ensured ‘an adequate level of data protection’.
Schrems argued, however, that since Facebook data was subject to mass surveillance by US intelligence agencies, safe harbour did not offer an adequate level of protection for his personal data. Both the Advocate General and the ECJ agreed and safe harbour was invalidated with immediate effect by the ECJ in October 2015.
As a consequence, personal data can no longer be transferred to a US business solely on the basis that they are safe harbour certified. Although the Schrems case arose from a complaint about Facebook, it applies to all transfers of personal data to the US under safe harbour and has far-reaching consequences for thousands of businesses that relied on it to move personal data to the US from Europe. Data export to the US was in turmoil and businesses were struggling to work out what to do for the best.
Binding corporate rules and model clauses
As discussed above, there are other options for ensuring compliant data export. Model clauses and binding corporate rules were not invalidated by the ECJ and are currently still valid transfer options in relation to the US.
It should, however, be remembered that while they are still technically available, they are likely to be susceptible to similar arguments as those made in the Schrems case. How, for example, do contractual clauses between two businesses offer individuals protection against mass security surveillance? Logically the position is no different to safe harbour.
These additional options may not therefore provide long-term protection, particularly as privacy campaigners have indicated that they have them in their sights and they are currently being assessed by the Commission.
The Privacy Shield: an alternative to safe harbour?
While the EU and the US have been in negotiations for some time in relation to an updated safe harbour system, the discussions got a new imperative following the Schrems decision and were expedited. On 2 February 2016 the European Commission announced a new framework to replace safe harbour, namely, the EU-US Privacy Shield. The legal texts that constitute the EU-US Privacy Shield were released on 29 February accompanied by the Commission’s draft ‘adequacy decision’. The Commission have concluded that data transferred under the Privacy Shield does ensure an adequate level of protection.
In order to rely on the Privacy Shield when transferring data from the EU, an organisation must self-certify its adherence to the Privacy Shield with the Department of Commerce and comply fully with its principles. The Privacy Shield covers the following:
- US businesses who sign up to the privacy shield scheme are required to commit to strong obligations in relation to handling personal data which will be enforceable under US law.
- Individuals must have access to personal information that an organisation holds about them and must be able to correct, amend or delete that information where it is inaccurate or has been processed in violation of the principles of the Privacy Shield.
- Any US business that processes human resources data must abide by decisions of European data protection authorities.
- Law enforcement and security organisations in the US are to be subject to limitations and safeguards and the US has ruled out indiscriminate, mass surveillance. There will be a joint annual review of the arrangement by the US and the European Commission.
- There will be a new ombudsman for individuals to complain to in relation to access by the security services.
- Redress for misuse of other data will be either direct with the companies concerned or the European data protection authorities can complain to
the US Department of Commerce.
The Privacy Shield is not yet in effect. The Article 29 Working Party is conducting a review of the agreement and will give their opinion (which is expected in spring) before it can be formally adopted by the Commission.
In the meantime, the US is expected to make the necessary preparations to put in place the new framework.
As a result, we would suggest that businesses wait until the Privacy Shield has been confirmed before relying on it. Even then, privacy campaigners have been quick to point out its inadequacies and so there is still a risk that if it goes in front of the ECJ, it won’t stand up and we could be back to where we were in October.
Fortunately, in view of the uncertainty the Information Commissioner’s Office has commented that they are not rushing to use their enforcement powers as there is no new and immediate threat to personal data. This approach will not necessarily be followed throughout Europe and other data protection authorities may take a different approach.
The new General Data Protection Regulation
We are currently in the midst of a complete overhaul of data protection laws via the long awaited General Data Protection Regulation (GDPR). The GDPR will be directly applicable in all member states without the need for implementing national legislation and will replace the outdated patchwork of national rules. While it means big changes in certain areas, which include potential sanctions of up to €20m or 4% of global annual turnover for breaches as well as extra-territorial effect to catch data controllers and processors not established in the EU, the position on data export is broadly similar to what we already have.
The GDPR is therefore unlikely to cut through the uncertainty in relation to data export to the US. Also it will be over two years before it is in force.
What should you do?
Even though there is a question mark over whether the model clauses and binding corporate rules will be the next in line to be invalidated by the ECJ, they are still currently available to transfer data to the US and pending the formal adoption of the EU-US Privacy Shield, probably the best bet to legalise export of personal data to the US.