Update: The State of Trans-Atlantic Data Transfers After Safe Harbor
On November 6, one month after the Court of Justice of the European Union (CJEU) invalidated the US-EU Data Protection Safe Harbor Framework (Safe Harbor Framework), the EU Commission issued guidance on permissible means to transfer personal data from the EU to the United States. In its guidance, the EU Commission provides several alternatives to the Safe Harbor Framework as a legal basis for trans-Atlantic data transfers.
In the wake of the CJEU's decision last month (see Batten Down The Hatches: The US-EU Data Protection Safe Harbor Framework Invalidated (Oct. 7, 2015)), and weeks before the EU Commission issued its guidance, individual Data Protection Authorities (DPAs) of the EU Member States issued a variety of their own guidance documents, ranging from a relatively upbeat statement by the UK's Information Commissioner to a foreboding paper by the German DPA. The Article 29 Working Party (an independent advisory body comprised of representatives from all DPAs of the Member States as well as the EU Data Protection Supervisor) also recently released a statement confirming that the Safe Harbor Framework was no longer a valid basis for trans-Atlantic data transfers and pointing to alternatives, such as model contractual clauses and binding corporate rules (BCRs) (while questioning the viability of these options in light of the Working Party's concerns over US government surveillance).
Marking its own position, the EU Commission's November 6, 2015, guidance on the transfer of personal data from the EU to the United States points to three alternative means for transfers.
First, the EU Commission notes that contractual solutions may be used to facilitate transfers, provided they are robust enough in scope. For example, the EU Commission indicates that such contractual clauses must include obligations as regards to, among other topics, "security measures," "notification to the data exporter of access requests by the third countries' law enforcement authorities or of any accidental or unauthorized access," and "the rights of data subjects to the access, rectification and erasure of their personal data," as well as "rules on compensation for the data subject in case of damage arising from a breach by either party to the [contract]." The model clauses also "require EU data subjects to have the possibility to invoke before a DPA and/or a court of the Member State in which the data exporter is established the rights they derive from the contractual clauses as a third party beneficiary."
Second, the EU Commission points to BCRs to facilitate transfers to affiliates (i.e., made within the corporate group).
Third, "in the absence of an adequacy decision," the EU Commission notes that data may still be transferred to third countries to the extent that one or more of the following "alternative derogations" applies:
- the data subject has unambiguously given his/her consent to the proposed transfer;
- the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken in response to the data subject's request;
- the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and a third party;
- the transfer is necessary or legally required on important public interest grounds, or for the establishment, exercise, or defense of legal claims;
- the transfer is necessary in order to protect the vital interests of the data subject; or
- the transfer is made from a register that according to laws or regulations is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate legitimate interest, to the extent that the conditions laid down in law for consultation are fulfilled in the particular case.
Finally, the EU Commission noted that it intends to conclude discussions with the US government over a new safe harbor framework "in three months," and, in the meantime, invited data controllers "to cooperate with the DPAs, thereby helping them to effectively carry out their supervisory role." The EU Commission stated that it "will continue to work closely with the Article 29 Working Party to ensure a uniform application of EU data protection law."
More developments are expected as both entities in the EU and those in the United States to whom they transfer personal data seek to make sense of and work within the constraints of the CJEU decision.