Panopticon has been quick-off-the-mark in reporting on today’s enormously significant Schrems judgment from the CJEU: see Chris’ alert and Anya’s commentary. I hope readers will excuse a third excursion into the same waters, given the enormous consequences the judgment. Here are a few observations on what those consequences mean in practice.
- Is this the end for Safe Harbor?
In its current form, yes. In theory, it can be fixed, rather than binned. Efforts have in fact been underway for some time aimed at renegotiating and tightening up aspects of the Safe Harbor arrangements, spurred by the Snowden revelations about the extent of US surveillance. The tenor of the judgment, however, is that tweaks will not suffice. ‘Dead in the water’ is the right shorthand for Safe Harbor.
- Does the Schrems judgment affect all companies transferring data to the US?
No – it torpedoes the Safe Harbor scheme, but it does not torpedo all EU-US data transfers. The Safe Harbor scheme was one of the major ways in which EU-US transfers of personal data ticked the box in terms of complying with Article 25 of Directive 95/46/EC (or the eighth data protection principle, in UK parlance). But it was not the only way.
Not all US companies were part of that scheme – in fact, you can see the full list of companies that are certified for Safe Harbor on the website of the US Department of Commerce (which administers certification for the scheme) here. There are around 5,000 companies affected by the Schrems judgment.
- Without Safe Harbour, how can data transfers to the US be lawful?
Obviously, the options include avoiding transfers to the US henceforth. Data processing arrangements could be retained within the EU, or they could be switched to one of a number of countries which already have an EU seal of approval: see the list here, which include Andorra, New Zealand, Canada, Uruguay, Israel and Argentina. Again, however, the Schrems judgment arguably implies that not even those countries are immune from scrutiny. Though those countries are not tainted by the Snowden/NSA revelations, their approved status is no longer inviolable.
Another option for multinationals transferring data to the US (or elsewhere) is to use Binding Corporate Rules. These provide a framework for how the organisation handles personal data. The data controller drafts its BCRs and submits them to the regulator for approval. Where more than one EU state is involved, the other regulators all need to have their say before the data controller’s arrangements are given the green light.
The BCR process is explained by the ICO here. Note the observation that a straightforward BCR application can take 12 months. So no quick fix for plugging the Safe Harbor gap here. Companies may need to find interim solutions while they work on adopting BCRs.
Another option is the use of Model Contract Clauses, explained by the ICO here. This involves incorporating off-the-shelf, EU-approved provisions into your contracts relating to personal data. These are inflexible, and they will not fit every data controller’s needs. Again, data controllers may need to craft stop-gap contractual solutions.
And again, it is arguably implicit in the Schrems judgment that even BCRs and Model Contract Clauses are flawed, i.e. they do not suffice to ensure that adequate data protection standards are maintained.
Lastly, as a data controller, you are able to do it yourself, i.e. to carry out your own assessment of the level of protection afforded in your data’s destination country. Again, the ICO helpfully explains. Again, however, the solutions are not straightforward.
- Are regulators going to take immediate action against all Safe Harbor-based transfers?
Unclear, but it is doubtful that they have the will or the way.
In the immediate term, the Irish Data Protection Commissioner now needs to decide whether or not Facebook’s US data transfers are lawful in the absence of Safe Harbor. This alone will be an important decision.
In the UK, the ICO has issued a press release on Schrems. It recognises that it will take time for businesses to adapt. Its tone is neither immediate nor pitiless.
This is no doubt because the business implications – both for the private sector and the regulators – would be enormous if a whole-scale clampdown were to be commenced immediately. It is likely that many regulators will give data controllers some time to get their houses (or harbors) in order – though the CJEU declined to take a similar approach in its judgment today.
- Will the new Data Protection Regulation fix the problem?
No. Its approach to international transfers is largely the same to the one which is currently in place. It contains no automatic fixes to the current quandary.
These are just preliminary observations. The dust has not yet settled, and businesses face some thorny practicalities in the meantime.
Robin Hopkins @hopkinsrobin