|
In the Schrems judgment of 6 October, the Court of Justice of the European Union declared that the so-called Safe Harbour scheme, which allowed the convenient transfer of personal data from the EU to US companies, is invalid.
The Safe harbour scheme was developed by the US Department of Commerce in consultation with the European Commission (the Commission). Under the Safe Harbour privacy principles, individuals must be informed, for example, when data about them is collected and the collected data must be relevant for the purposes for which it is to be used. In 2000, as a result of these consultations, the Commission decided that the level of protection for the transfer of personal data from the EU to US companies that had implemented these privacy principles was equivalent to the level of data protection in the EU. In practice, this meant that transferring personal data from the EU to a US company that had implemented the Safe Harbour principles was almost as easy as transferring the data to another EU member state.
Whether a particular US company had correctly implemented these privacy principles was in essence assessed by the company itself by self-certifying.
On 16 October, the Article 29 Working Party, composed of representatives of the national Data Protection Authorities, the European Data Protection Supervisor and the European Commission (the Working Party) released a statement (the Statement) outlining the implications of the Schrems judgment. The Statement emphasizes that:
- transfers relying on Safe Harbour are now unlawful;
- EU Standard Contractual Clauses (or Model Clauses) and Binding Corporate Rules can still be relied upon to legitimize transfers of personal data from the EU to the US;
- an appropriate solution has to be found between the EU and the US authorities by the end of January 2016.
The Working Party also stated that in the case of failure to reach a solution by the end of January 2016, the Working Party and the Data Protection Authorities will become committed to taking “necessary and appropriate” action, including coordinated enforcement after having assessed the transfer tools available.
The ruling that the Safe Harbour framework is invalid results in several immediate practical consequences for businesses in the Baltics.
Detailed review of consequences for:
» ESTONIA
» LATVIA
» LITHUANIA
ESTONIA
Under the Estonian Personal Data Protection Act, transfers to Safe Harbour-certified entities in the US took place as if they were transfers within the EU/EEA. No requirement was imposed to obtain prior authorisation from the Estonian Data Protection Inspectorate (Inspectorate) for these transfers.
The ruling that the Safe Harbour framework is invalid results in immediate practical consequences for businesses in Estonia that have relied on the Safe Harbour framework to transfer personal data to the US.
Inspectorate authorisation
First, from now on transfer of personal data to the US requires prior authorisation from the Inspectorate. The data exporter must demonstrate that it has a valid legal basis to process the particular personal data and that a sufficient level of data protection is guaranteed in the US for that specific case of data transfer. To demonstrate to the Inspectorate that a sufficient level of data protection is guaranteed the data exporter can generally rely on data transfer agreements based on EU Model Contracts or Binding Corporate Rules.
No prior authorisation is needed from the Inspectorate only:
- if the data subject has provided valid consent for the specific transfer to take place;
- where the transfer is necessary for the protection of the life, health or freedom of the data subject or another person if obtaining the consent of the data subject is impossible;
- if a third person requests information obtained or created while performing public duties and the data requested do not contain any sensitive personal data and access to them has not been restricted for other reasons.
Uncertainty related to implementation of new measures
Second, for those companies that until the Schrems judgment transferred data to the US under the Safe Harbour regime and urgently need to continue these data transfers legally, a great deal of uncertainty arises as to how quickly they should implement new measures and obtain relevant authorisation for transferring personal data to the US.
On the one hand it is clear that the Safe Harbour principles can no longer be relied upon and data exporters have to implement new measures for transfers. On the other hand the Inspectorate is now also unlikely to direct its resources at active supervision of data controllers who may be transferring personal data to the US. No official guidance is available from the Inspectorate on this issue. The Inspectorate is expected soon to update its non-binding guidelines on data transfers.
LATVIA
Data transfer will be more complicated
First, from now on the transfer of personal data to the US and also transfer-related data-processing registration with the Latvian Data State Inspectorate (Inspectorate) from the legal point of view will be more difficult.
Before the Schrems judgment, for the Inspectorate to confirm that a data transfer was legal, it was enough to indicate in the data-processing registration application that the transfer would be to a US company that had Safe Harbour certification.
Now it is necessary to use other mechanisms for the transfer of personal data. All data transfers to the US are regarded as data transfers to a country that does not ensure the level of data protection is equivalent to that in Latvia. The options are listed in Section 28 of the Latvian Personal Data Protection Law and, among others, include:
- A data transfer agreement must be concluded based on the EU Model Clauses or based on the standard conditions approved by the Latvian Government.
- The data subject gives consent.
- The data controller must be bound by the Binding Corporate Rules.
Instead of registering personal data protection activities relating to data transfers with the Inspectorate, data controllers have always been able to appoint and register a data protection specialist with the Inspectorate. However, this does not solve the problem of the non-existence of the relevant legal basis for the international data transfers.
Uncertainty related to implementation of new measures
Second, for those companies that until the Schrems judgment have transferred data to the US under the Safe Harbour regime and urgently need to continue such data transfers legally, there is a great deal of uncertainty regarding what they should do now.
The Inspectorate is expected to announce an action plan in this respect as well as explain other practical consequences arising from the judgment. So far the Inspectorate has not officially commented on the consequences of the Schrems judgment; however, it is highly unlikely that data controllers who relied on the legality of the Safe Harbour regime for data transfers to the US until 6 October 2015 will face any negative consequences from the Inspectorate. Likewise, it seems unlikely that the Inspectorate will impose any severe sanctions on the data controllers who need reasonable time to implement new legal tools for the lawful transfer of data to replace those that have been invalidated by the Court of Justice of the European Union.
LITHUANIA
Under the Lithuanian Data Protection Law, transfers outside EU/EEA member countries from Lithuania must be authorised by the Data Protection Inspectorate (Inspectorate) unless one of the statutory exceptions applies (eg consent of the data subject; transfer is necessary for the benefit of the data subject). As employee consent is considered insufficient, given that no other exception applies, transfers of employee data always require prior authorisation by the Inspectorate.
The ruling of the Court of Justice of the European Union (the Schrems Judgment) found that the Safe Harbour framework is invalid. This creates several immediate practical consequences for businesses in Lithuania that have relied on the Safe Harbour framework to transfer personal data to the US.
Data transfer will be more complicated
First, from now on personal data transfer to the US as such and also transfer-related data processing registration with the Inspectorate will be more difficult from the legal point of view.
Before the Schrems Judgement, an adequate level of data protection could have been supported by a valid Safe Harbor certificate for US entities and a simple Data Transfer Agreement; or an agreement between the data importer and data exporter corresponding to Standard Contractual Clauses issued by the European Commission; or an Intra-group Data Transfer Agreement (eg Binding Corporate Rules).
With regard to the Schrems Judgment, the first of the three options for proving an adequate level of data protection (ie, the Safe Harbour framework) becomes illegal, so the remaining two options have to be relied upon.
Uncertainty related to implementation of new measures
Second, for those companies that have transferred data to the US under the Safe Harbour regime until the Schrems Judgement and that are striving to continue legal data transfers, much uncertainty arises as to how quickly they should implement new measures and obtain relevant authorisation for transferring personal data to the US.
So far, the Lithuanian Inspectorate has not officially commented on the Schrems Judgement and its consequences for national data transfer authorisation procedures. The Lithuanian Inspectorate is likely to wait until some guidance is given by the Working Party before guiding data controllers on how to reframe the legal basis for data transfers to the US. However, it is highly unlikely that data controllers who relied on the legality of the Safe Harbour regime for data transfers to the US until the Schrems judgment will face negative consequences from the Inspectorate, especially taking into consideration the position expressed in the Statement of the Working Party that all necessary and appropriate action may be taken after the transfer tools are assessed after the end of January 2016 if no appropriate solution is found with the US authorities. |
