by Boris Segalis, Marcus Evans and Jay Modrall
As we have written extensively, the European Court of Justice’s (ECJ’s) ruling in the Schrems case on October 6, 2015 may effectively invalidate the US-EU Safe Harbor framework. While we believe that the Advocate General’s rationale for the proposal is weak, organizations that rely on the Safe Harbor are anxious about the consequences such a decision could have on their operations, and want to make appropriate mitigation plans.
Our global Data Protection, Privacy & Cybersecurity team offers a plan of action should the ECJ adopt the Advocate General’s recommendation to invalidate the Safe Harbor. If you would like us to help assess and mitigate the specific circumstances of your organization, please contact the authors.
1. Which organizations will face immediate consequences if the ECJ invalidates the Safe Harbor?
We expect the most immediate impact will be on Safe Harbor-certified B2B providers that sell their products and services to European business customers and rely on the Safe Harbor to export European data to the US for processing.
An adverse decision would probably disrupt ongoing negotiations with European business customers. European customers would likely require their providers to establish alternative grounds to transfer data to the US in accordance with the requirements of EU Data Protection Directive 95/46/EC. Ongoing relationships could be at risk, as customers may threaten to interrupt the delivery of goods or services and seek redress for noncompliance.
If the decision does not invalidate the Safe Harbor, but only gives Member State Data Protection Authorities (DPAs) discretion to make their own assessment of the validity of transfers under Safe Harbor, the Safe Harbor framework would remain in place and continue to be available to cover data exports in connection with trans-Atlantic B2B contracts. Nonetheless, customers may still seek alternative ways to address the risk that one or more DPAs may find transfers under the Safe Harbor illegal. Thus, even if the Safe Harbor is not invalidated, companies currently relying on the Safe Harbor are advised to assess their exposure to challenges before individual DPAs and to consider alternatives.
All other organizations that rely on the Safe Harbor will be affected as well, but not until the consequences of the decision percolate through the regulatory and enforcement process. Unlike B2Bs, which face immediate “enforcement” by their business customers, other organizations are not likely to face immediate enforcement by local data protection authorities for a number of reasons (see below).
2. If ECJ decides to invalidate Safe Harbor, how would the court do it? What would be the immediate legal consequence of an ECJ decision invalidating the Safe Harbor?
If the ECJ rules the Safe Harbor invalid, that decision will likely apply immediately. The practical effect of such a decision would, however, depend on the actions of DPAs and others. We believe that DPAs would be unlikely to take immediate action to suspend transfers by companies under their jurisdiction in reliance on the Safe Harbor. However, there would likely be a wave of complaints and possible requests for interim action such as injunctions before national courts.
If the ECJ finds that DPAs have the authority to make their own determinations as to whether certain types of transfers under the Safe Harbor are valid, there would be no immediate legal effect on the legality of transfers relying on the Safe Harbor. The Irish proceedings that gave rise to Schrems would continue, and other complaints would likely be filed to seek review by the Irish and other DPAs. While these proceedings could ultimately lead to data transfers being found invalid, this process would take months or years. Meanwhile, the European Commission would have more time to reach a new Safe Harbor agreement with the US, offering the DPAs an opportunity to find that the enhanced framework addresses their concerns.
3. Will there be immediate enforcement against organizations that rely on the Safe Harbor to transfer data to the US?
Even though an ECJ ruling invalidating the Safe Harbor would likely be applicable immediately, we believe regulators are unlikely to take immediate action to stop transfers from their jurisdictions in reliance on the Safe Harbor. However, activists like Mr. Schrems could try to seek injunctive relief to block exports more quickly. The likelihood that Safe Harbor-certified companies will become targets for such action varies significantly from organization to organization. Assessing enforcement exposure will be an important part of each company’s action plan.
4. What steps should companies consider in their Action Plans?
Each company will be affected by the Schrems decision in a different way, and mitigation plans will depend on their specific circumstances. That said, many mitigation plans are likely to include a combination of steps.
The Tool Box
It is important to remember that the EU Data Protection Directive 95/46/EC provides for certain “derogations,” which allow the transfer of personal data from Europe to the US. The most commonly used are set out below:
Companies for which these derogations apply will need to work with their counsel to formulate and document the rationale for relying on a particular derogation. It should be noted that the derogations are often less permissive than they appear at first sight, due to narrow interpretations given by the EU Article 29 Working Party (made up of representatives of all 28 EU DPAs) and the DPAs themselves.
Model clauses (in the form approved by the European Commission) may be another element of a mitigation plan. These clauses are not flexible, take time to execute, and are not always feasible due to their pass-through liability and audit requirements, and the need to execute clauses with any sub-processors. Nonetheless, use of the model clauses is the most obvious solution to difficulties with the Safe Harbor.
Pseudonimization and anonymization is another tool. Often the data transferred to the US does not need to be in an identifiable format. Total anonymization is difficult to achieve under European requirements, because the bar of how difficult it must be to re-identify the data is set so high, and because some DPAs base the threshold of identifiability on whether “any party” could identify an individual from a data set rather than only the party that is in possession of the data or is likely to receive the data.
Pseudonimization is likely to make it easier for companies in some EU Member States to rely on the derogations, because some Member States’ DPAs recognize that the risk to individuals’ privacy is substantially lower when personal data is pseudonimized.
In the long term, Binding Corporate Rules (BCRs) may become a feasible alternative. BCRs are time consuming and not inexpensive to put in place. If the Safe Harbor were eliminated, however, BCRs would be back on the map as an alternative that needs to be examined, because the initial difficulty in putting BCRs in place is compensated for by ease of operation once they are implemented. BCRs also allow a single solution for all global transfers from Europe, not just those to the US.
Ultimately, for each application, the mitigation plan may involve a combination of several of these alternatives to establish a legal basis for transferring personal data from the EEA (i.e., EU, Liechtenstein, Norway and Iceland) to the US. Here are a few high-level use cases:
Consider moving cloud storage to the EEA. Consider shifting to a cloud provider that accepts model clauses (many now do). Consider updating agreements with subcontractors to include robust audit requirements, relying on the changes in the legal requirements as justification. Many contracts envision negotiating changes that are necessary to comply with changes in legal requirements.
For managing HR data, model clauses probably make the most sense, because the parties (entities under common control in Europe and US) do not engage in arm’s-length transactions and thus are unlikely to enforce the more onerous model clause provisions against each other.
Online retailers that sell to European consumers may choose to explicitly inform their customers (as part of the checkout process) that their data would be transferred to the US to process the transaction. The form of this consent would require careful consideration, and any subsequent use and disclosure of the data by the retailer would need to be disclosed in an accurate privacy notice. This approach requires caution because some DPAs may not view consent (i.e., the consent derogation) as appropriate for bulk transfer of personal data to the US.
Pharma companies could seek to ensure that the data they receive in the US (e.g., clinical trial data) is pseudonimized or anonymized. Key-coding of personal data is a typical practice in the pharmaceutical industry (recognized in the Safe Harbor FAQs and WP29 opinions). The challenge for the pharma industry may lie in the need to introduce more robust processes and eliminate the possibility of ever having access to identified data, which is especially difficult in light of US FDA requirements.
The worst-case scenario would entail the ECJ invalidating the Safe Harbor and EU Member State DPAs taking immediate, robust enforcement action to implement the decision. It is difficult to imagine this scenario actually materializing, as the impact on the world economy would be immense. It is important to keep in mind that for the most part Europe ultimately is pragmatic. This pragmatism is what led to the establishment of the Safe Harbor framework in the first place. The framework was a compromise that Europe and the US viewed as necessary to “soften” the rigid requirements of the EU Data Protection Directive, and to protect trans-Atlantic trade from unnecessary shocks. All of these reasons are still true today, and with the weakness in China and other threats to European and US economies, there is unlikely to be appetite for shock treatment.
This does not mean that the Safe Harbor will survive unscathed, but it gives us comfort that the worst case scenario is a transition period that will allow companies to use the toolbox to get their house in order on cross-border data transfers.
The bottom line is that even if the ECJ invalidates the Safe Harbor outright on October 6, 2015 – an outcome we believe is not likely – there are other tools in the box to establish a legal basis for cross border data transfer from Europe to the US. Now is the time to take stock and ensure that solutions can be implemented promptly to continue transfers or otherwise avoid business interruptions.
Still anxious? Feel free to contact the authors of the post, and make sure to sign up for the blog to continue receiving updates on this and other important data protection topics.
Read more articles at Norton Rose Fulbright’s Data Protection Report.
For more information about LexisNexis products and solutions, please connect with us through our corporate site. international