After the European Court of Justice gutted the U.S.-EU Safe Harbor agreement in its landmark decision in Schrems v. Facebook, a number of EU data protection authorities (DPAs) issued clarifying statements. Here is a look at some of the recent guidance from DPAs around Europe.
On November 19, 2015, the French DPA, the CNIL, published guidance titled “Safe Harbor: What Should Companies Do?” as well as a series of frequently asked questions. U.S. organizations transferring data from France must choose one of two options before January 31: (1) issue a declaration that they have stopped transfers of personal data to the United States or (2) indicate which approved mechanism they will use for data transfers. The CNIL also advised that it intends to follow the Article 29 Working Party’s statement permitting organizations to use binding corporate rules and model contractual clauses to transfer data to Safe Harbor certified organizations through January 31, 2016. However, the CNIL expressed a preference for model contractual clauses because it takes several months to implement binding corporate rules. But these must be registered, and only two simplified notification procedures are available: one for processing employee data and one for consumer data. Unfortunately, neither procedure contemplates litigation or investigations.
A recent statement by the Polish DPA, the GIODO, requires organizations that previously relied on the Safe Harbor provisions to demonstrate another valid legal basis to transfer the personal data of Polish citizens to the United States. Polish law recognizes that model contractual clauses are a permissible workaround, but binding corporate rules are not. The GIODO indicated that it will respect the Article 29 Working Party’s deadline of January 31, 2016 for enforcement, but if complaints are received before this time, it will investigate them.
On October 23, 2015, the Portuguese DPA, the CNPD, issued a statement prohibiting data transfers under the Safe Harbor agreement. The CNPD explained that it will only issue provisional authorizations for cross-border transfers of personal data to the United States. It, like the other EU nations’ DPAs, plans to study the impact of the Schrems ruling on alternative means of data transfer. Note that Portuguese law does not recognize binding corporate rules as a legitimate transfer mechanism; therefore, standard contractual clauses and consent remain the primary means for data transfer.
On November 3, 2015, the AEPD, the Spanish DPA, notified all U.S. companies transferring data under Safe Harbor that they must implement alternative methods for transferring data. These organizations must notify the DPA by January 29, 2016 of their chosen transfer mechanism. The notice suggests that organizations use standard contractual clauses that have been authorized by the DPA (a process that usually takes about three months). It also announced that data transfers are permissible without the DPA’s authorization if they meet one of several conditions, including if they have obtained the data subject’s consent or if the transfer is required to support legal claims.
The United Kingdom
In a recent blog, the Deputy Commissioner of the United Kingdom’s Information Commissioner’s Office (“ICO”) gave the following advice: “[d]on’t panic and don’t rush to other transfer mechanisms that may turn out to be less than ideal,” as the “impact of the judgment on standard contractual clauses and binding corporate rules is still being analysed.” In the meantime, he suggested that organizations take stock of the data being transferred outside the EU and evaluate the adequacy of protections for the personal data, as the UK still allows organizations to rely on their own adequacy assessment.
In next week’s blog, we will review some important developments in Germany following the Schrems decision and suggest best practices for handling data stored in Europe.
About the AuthorMore Content by Rachel Teisch