Like everyone else who operates in the field, this blog may have touched once or twice on the issues arising out of Schrems. Both Robin (here) and Tim (here) have provided some summaries of the sorts of alternatives data controllers will need to think about, and the guidance issued by the Article 29 Working Party as a result. But what, everyone has been asking, does the European Commission have to say about all this?
Happily, the heavy lids of ignorance may be lifted as the Commission has awoken. (Whether it more closely resembles the Force or a Kraken is perhaps a matter of personal preference.) It has produced a lengthy document which is actually both helpful and readily understandable. Not adding umpteen recitals probably helps. It draws together a lot of the practical issues and much of the existing guidance from the Article 29 WP already discussed for a sort of cheat-sheet document to help you navigate the ongoing choppy waters. You can find and download it here.
By way of precis, it informs us that the Commission has now “intensified” discussions with the US about a new Safe Harbour agreement, and that it hopes to have an outcome in three months. That would indeed require a considerable intensification, but there is nothing like ongoing illegality to concentrate the mind.
In the meantime, the Commission reminds us that Binding Corporate Rules are an option only for internal group company data transfers (something often overlooked), summarises what the Article 29 WP have suggested need to be included and, rather optimistically, noted that the process has been facilitated and sped up by inter-Data Protection Authority liaison. Unfortunately, the reality is that in the UK, the ICO has always warned that BCR approval can take 12 months, and many readers will have had the experience of it taking considerably longer. The ICO has a lot of balls to juggle and not many hands, and there has been a deafening silence from the multinationals who want BCRs of suggestions of paying for the resources to get them more quickly.
Outside of the BCR context, the Commission stresses its own approved contractual solution between controllers: the Standard Contract Clauses. There are currently four approved sets: two as between controllers and two as between controller and processor. They include obligations as regards security measures, information to the data subject in case of transfer of sensitive data, notification to the data exporter of access requests by the third countries’ law enforcement authorities or of any accidental or unauthorised access, and the rights of data subjects to the access, rectification and erasure of their personal data, as well as rules on compensation for the data subject in case of damage arising from a breach by either party to the SCCs. The model clauses also require EU data subjects to have the possibility to invoke before a DPA and/or a court of the Member State in which the data exporter is established the rights they derive from the contractual clauses as a third party beneficiary. What the Commission adds is to point out that Commission decisions are binding in Member States, and SCCs are a result of Commission decisions. The presumption is, therefore, that the SCCs provide adequate protection (although they can be challenged in a court and referred to the CJEU if necessary). DPAs will want to check any boutique amendments to the SCCs for compliance.
The Commission points out that under the new Regulation the proposal is that neither SCCs nor BCRs will require further authorisation by a national authority.
The third option is, of course, the derogations in Article 26(1). The Commission goes through each, highlighting the existing guidance on them and attempting the balance of making them look like workable solutions whilst stressing the need to construe them strictly. It may well be that much of the routine transfer businesses have used – because of banking transfers or international travel – will be covered by the contractual derogations providing, of course, that the transfer is necessary. The Article 29 Working Party considers that there has to be a “close and substantial connection”, a “direct and objective link” between the data subject and the purposes of the contract or the pre-contractual measure as an aspect of the necessity test. The derogation cannot be applied to transfers of additional information not necessary for the purpose of the transfer, or transfers for a purpose other than the performance of the contract (for example, follow-up marketing). If consent is relied upon it must be “unambiguous”, and so cannot be implied.
What the Commission does not really discuss is the ability of controllers to carry out their own adequacy assessment and rely on that. It is theoretically possible, but inevitably it is a risky route to adopt in this new-found atmosphere of data protection litigation.
The Commission also accepts that all of its other adequacy decisions are open to challenge in courts, but does not consider any to be at immediate risk.
By way of update on global reactions, readers may be aware that the German DPA has taken the most restrictive post-Schrems line; it has declined to approve any new BCRs or amended SCCs for the time being, although it has not said it will invalidate existing agreements. It has also taken a very restrictive line on consent. In Ireland, the remittal by the CJEU to the Irish Courts has led to the start of the domestic process of investigation into adequacy, but those proceedings are at a very early stage still. The passing of the Judicial Redress Bill by the US House of Representatives is being seen as one step closer to the possibility of remedying one hole in the Safe Harbour scheme, which was the difficulty of EU citizens vindicating their rights in the US. Under the new Bill they could, in theory, be designated so that vindication was more plausible, but that is a long way from resolving all of the issues. There are also likely to be implications for the TTIP negotiations, although the sense is that data protection will be carved out of TTIP altogether and left to the new Regulation. However, it is also of interest that the impact has been wider than just the EU-US relationship. Israel – currently subject to an adequacy decision itself – has revoked its own decision giving prior authorisation for the transfer of data from Israel to US companies signed-up to the Safe Harbor, doubtless to ensure that the EU-Israel adequacy decision is not undermined by proxy.
None of this is likely to be the last word, or post, on the subject. January 2016, by which time a solution has to have been found or the DPAs will start enforcing, seems awfully close…