Safe Harbour and Privacy Shield16-11-2016
Many companies have not yet given sufficient thought to transferring personal data to countries outside of the EER, even though unlawful transfers can result in fines from EUR 120,000 to EUR 500,000. If a company processes data or has processed data outside the EER, for example by storing personal data on a server in the US, the company should ensure this is legally covered. Regulations on transferring personal data to countries outside of Europe have changed considerably in 2016. Please find the most important changes below.
Data flow outside of Europe
Until the General Data Protection Regulation (the “Privacy Regulation“) starts applying in May 2018, processing personal data is regulated by the Privacy Directive (also known as the Data Protection Directive). The Privacy Directive prohibits countries within the EER to exchange data with countries outside the EER, unless an appropriate level of protection can be guaranteed. The European Commission can determine if the level of protection provided by a certain country meets requirements, by means of a so-called ‘adequacy-decision’.
Safe Harbour (or, in US English: Safe Harbor)
To facilitate the exchange of personal data between Europe and the United States, seven principles to guarantee an appropriate level of protection were developed between 1995 and 2000. The adequacy decision of the European Committee on 26 July 2000, in which it was decided these principles provide a suitable level of protection in accordance with the data protection directive, is publicly known as the Safe Harbour-decision. American companies, through self-certification, could demonstrate they processed data in accordance with the Safe Harbour principles. The Safe Harbour-decision provided a legal basis for the exchange of data with American companies certified under Safe Harbour.
Safe Harbour: no longer safe
Because of a complaint from Austrian activist Max Schrems, Safe Harbour came under attack. Schrems objected to the transfer of his personal data to the American servers of Facebook. Because of this complaint, the Irish Court of Justice asked the European Court of Justice preliminary questions on Safe Harbour. On 6 October 2015, the European Court of Justice ruled the Safe Harbour-decision invalid, for amongst others, the following reasons:
- The Safe Harbour decision did not obligate every company to comply with the Safe Harbour principles;
- The Safe Harbour decision did not obligate the U.S. federal government to adhere to the Safe Harbour principles – and explicitly allows infringement of protected personal data in the interest of the country;
- The Safe Harbour decision allowed for U.S. investigation offices to collect data in bulk.
The ECJ ruled the level of protection provided by Safe Harbour insufficient.
New agreement: the EU – U.S. Privacy Shield
The nullification of Safe Harbour intensified the negotiations between the European Committee and the U.S. on a new legal framework to allow for the continuation of transferring data. On 2 February 2016, the parties announced their agreement: the EU-U.S. Privacy Shield. The draft was published on 29 February 2016. Like Safe Harbour, the Privacy Shield is based on self-certification by companies. The Privacy Shield is based on several principles comparable to the Safe Harbour principles. A major difference with Safe Harbour is that the enforcement of the Privacy Shield has been put in the hands of the Federal Trade Commission. Even though participating in the Privacy Shield is on a voluntary basis, parties involved are expected to abide by the rules. The Privacy Shield (in comparison to Safe Harbour) also expands the possibilities for individuals to oppose unlawful transfer or usage of their personal data.
Criticising the Privacy Shield
On 12 February 2016, the European Supervisor for data protection delivered a preliminary advice on the Privacy Shield. On 13 April 2016, the so-called Article 29 Working Party (made up out of representatives from data protection authorities of each designated Member State) (“WP29“) submitted their opinion on the Privacy Shield. Even though WP29 determined that the Privacy Shield brings significant improvements in comparison to Safe Harbour, WP29 addressed three concerns:
- Even though limited retention is a fundamental principle of European legislation on this topic, the current text does not obligate companies to delete data once it has become obsolete;
- The U.S. is still allowed to collect data in bulk if it is deemed necessary to safeguard national security, meaning there is effectively no limit to this usage;
- Although appointing an Ombudsperson is noble, the text does not guarantee that the Ombudsperson will be provided with adequate powers to effectively exercise its duty.
On 30 May 2016, this opinion was followed by a statement from the European Supervisor who was also critical of the Privacy Shield. The Supervisor even pointed out that in its current form, the Privacy Shield might not pass an assessment by the European Court of Justice. To reiterate its view as expressed in the opinion of 13 April 2016, WP29 issued a press release on 1 July 2016.
Privacy Shield adopted
On 8 July 2016, the Member States of the European Union adopted the Privacy Shield, followed by an adequacy decision published by the European Committee on 12 July 2016. This way, the European Committee demonstrated that the Privacy Shield offers appropriate protection in the sense of the Privacy directive, and that if the company involved is aligned with the Privacy Shield, transfer of data is allowed. On 26 July 2016, WP29 published a statement regarding the adequacy decision and the respective meeting on 25 July 2016. The statement emphasised that several concerns remained, even though WP29 expressed to be pleased its remarks were taken into consideration in the final version of the adequacy decision. WP29 also announced to use the first annual review to assess the legal basis of the Privacy Shield, and to critically evaluate its practical impact.
Privacy Shield under fire
On 12 July 2016, directly after disclosing the adequacy decision, the Privacy Shield came into force. As of 1 August 2016, companies can apply for certification. Over 500 corporates have signed up to the Privacy Shield already, amongst them Facebook, Google and Microsoft. However, as communicated before, the Privacy Shield is under pressure again. On 16 September 2016, privacy organisation Digital Rights Ireland has filed a complaint at the General Court to request annulment of the decision by the Committee to adopt the Privacy Shield. More details on the case are still unknown. On 25 October 2016, three French organisations also filed an application for annulment of the Privacy Shield at the General Court. The grounds on which the annulment is requested are also still unknown.
It is expected to take a year or longer for the complaints to be assessed. This could mean that the General Court will not rule on these cases before the first annual evaluation of the Privacy Shield, planned for mid-2017. Depending on the outcome of the evaluation, these complaints might become outdated.
Privacy Shield: the impact on companies
As long as the companies involved are signed up to the Privacy Shield, the transfer of data to the U.S. remains possible because of the Privacy Shield. If your company used to transfer data to an American company under Safe Harbour, it is of importance to verify if the companies involved have now signed up to the Privacy Shield, or intent to do so. If your company transfers data without legal basis, the Data Protection Authority may, as explained, impose a fine.
Alternatives Privacy Shield
Applying to the Privacy Shield is not the only option to lawfully transfer data to the U.S. Companies may also choose to use standard contractual clauses issued by the European Committee, or – if it concerns an international group – implement a set of so-called ‘binding corporate rules’ companywide. It is also possible to apply for a permit for data transfer to countries outside the EER with the Data Protection Authority.
- Standard contractual clauses
Currently, these standard contractual clauses are under pressure: on 25 May 2016, the Irish Data Protection Supervisor announced to evoke preliminary questions on the lawfulness of transferring personal data on the basis of standard contractual clauses. The binding corporate rules are designed for international corporations with one or more subsidiaries outside the EER. The BCR are the elaboration of the internal code of conduct for data transfer within the group, with which the protection of personal data to countries outside the EER is warranted. Following from a comprehensive cooperation procedure, the BCR need to be pre-approved by the European privacy supervisors. From the moment the BCR are submitted to the Data Protection Authority, the approval procedure generally takes one year. The BCR can however be a useful alternative to the Privacy Shield for large international concerns that exchange personal data on a regular basis.
- Binding corporate rules (BCR)
Personal data transfer to a country outside the EER is also permitted on the basis of approved standard contractual clauses from the European Committee. These standard contractual clauses are deemed to offer an appropriate level of protection of personal data. The European Committee has approved three sets of standard contractual clauses to date: two for controllers outside the EER (one of which is general, and one specifically for corporates), and a set of standard contractual clauses for data processors. Only if adhered to completely and without any amendments, the standard contractual clauses are deemed to offer the appropriate level of protection. Any addition or alteration to the standard contractual clauses has to be submitted for approval.
On the basis of Dutch law, six exceptions may apply in which data may be transferred outside of the EER without using standard contractual clauses, a permit or BCR. These exceptions are the following:
- Unambiguous consent: the data subject has given his unambiguous consent to the specific processing of his or her data.
- Execution agreement: it is necessary to transfer data in order to execute an agreement with the data subject (for example: international payment);
- In the interest of data subject: it is in the interest of the data subject to execute an agreement with a third party, to which extent the data subject’s personal data should be provided. On the basis of Dutch law, six exceptions apply where data may be transferred to a country outside the EER without standard contractual clauses, permit or BCR.
- Substantial public interest: transfer of certain personal data is necessary because of substantial public interest.
- Vital interest data subject: For example, because of an accident abroad, the data subject has a vital interest in the transfer of personal data. Please note that unambiguous consent is preferred in these instances.
- Public registers: some information is publicly available and accessible through legally deployed registers like the Cadaster or register of commerce. This information may be passed on.
The uncertainty of the Privacy Shield’s future could mean that for your company, one of the before mentioned alternatives constitutes a better way to legally transfer data.