Harbour news: possible consequences for Latvia
 
   
  Agris Repšs
  Agris Repšs
Partner
agris.repss@sorainen.com
   
  Andis Burkevics
  Andis Burkevics
Senior Associate
andis.burkevics@sorainen.com
   
 
  Valts Nerets
Associate
valts.nerets@sorainen.com
   
Dear clients and cooperation partners,

In the Schrems judgment of 6 October, the Court of Justice of the European Union declared that the so-called Safe Harbour scheme, which allowed the convenient transfer of personal data from the EU to US companies, is invalid.

The Safe harbour scheme was developed by the US Department of Commerce in consultation with the European Commission (the Commission). Under the Safe Harbour privacy principles, individuals must be informed, for example, when data about them is collected and the collected data must be relevant for the purposes for which it is to be used. In 2000, as a result of these consultations, the Commission decided that the level of protection for the transfer of personal data from the EU to US companies that had implemented these privacy principles was equivalent to the level of data protection in the EU. In practice, this meant that transferring personal data from the EU to a US company that had implemented the Safe Harbour principles was almost as easy as transferring the data to another EU member state.

Whether a particular US company had correctly implemented these privacy principles was in essence assessed by the company itself by self-certifying.

The ruling that the Safe Harbour framework is invalid has several immediate practical consequences for businesses in Latvia.

First, from now on the transfer of personal data to the US and also transfer-related data-processing registration with the Latvian Data State Inspectorate (the Inspectorate) from the legal point of view will be more difficult.

Before the Schrems judgment, for the Inspectorate to confirm that a data transfer was legal, it was enough to indicate in the data-processing registration application that the transfer would be to a US company that had Safe Harbour certification.

Now it is necessary to use other mechanisms for the transfer of personal data. All data transfers to the US are regarded as data transfers to a country that does not ensure the level of data protection is equivalent to that in Latvia. The options are listed in Section 28 of the Latvian Personal Data Protection Law and, among others, include:

  1. A data transfer agreement must be concluded based on the EU Model Clauses or based on the standard conditions approved by the Latvian Government.
  2. The data subject gives consent.
  3. The data controller must be bound by the Binding Corporate Rules.

Instead of registering personal data protection activities relating to data transfers with the Inspectorate, data controllers have always been able to appoint and register a data protection specialist with the Inspectorate. However, this does not solve the problem of the non-existence of the relevant legal basis for the international data transfers.

Second, for those companies that until the Schrems judgment have transferred data to the US under the Safe Harbour regime and urgently need to continue such data transfers legally, there is a great deal of uncertainty regarding what they should do now.

The Inspectorate is expected to announce an action plan in this respect as well as explain other practical consequences arising from the judgment. So far the Inspectorate has not officially commented on the consequences of the Schrems judgment; however, it is highly unlikely that data controllers who relied on the legality of the Safe Harbour regime for data transfers to the US until 6 October 2015 will face any negative consequences from the Inspectorate. Likewise, it seems unlikely that the Inspectorate will impose any severe sanctions on the data controllers who need reasonable time to implement new legal tools for the lawful transfer of data to replace those that have been invalidated by the Court of Justice of the European Union.

In any event, we will closely monitor further developments and provide relevant information as soon as there is any news.

 
ESTONIA
Mihkel Miidla
Senior Associate
send e-mail
Pärnu mnt 15
10141 Tallinn
ph +372 6 400 900
estonia@sorainen.com
 
LATVIA
Agris Repšs
Partner
send e-mail
Kr. Valdemāra iela 21
LV-1010 Riga
ph +371 67 365 000
latvia@sorainen.com
 
LITHUANIA
Renata Beržanskienė
Partner
send e-mail
Jogailos g 4
LT-01116 Vilnius
ph +370 52 685 040
lithuania@sorainen.com
 
BELARUS
Alexey Anischenko
Partner
send e-mail
ul Nemiga 40
220004 Minsk
ph +375 17 306 2102
belarus@sorainen.com

You have received this e-mail with the SORAINEN Latvian Information Technology & Data Protection Newsflash because you are in the SORAINEN database
You can modify your subscription preferences by clicking here or to unsubscribe from receiving all SORAINEN mailings in the future, please reply by clicking here.

Please note that SORAINEN newsflashes are compiled for general information only, free of obligation and free of legal responsibility and liability. They do not cover all laws or reflect all changes in legislation, nor are the explanations provided exhaustive. Therefore, we recommend that you contact your legal adviser for further information. Electronic versions of newsflashes are available and can be subscribed to on the SORAINEN website – www.sorainen.com.

© SORAINEN 2015
All rights reserved