EU/US Safe Harbour Rule Declared Invalid
EU.US Cross-border transfers of personal Data - The EU Court of Justice declares the US Safe Harbour Decision invalid. What are the options now?
Pursuant to the EU Data Protection Directive the transfer of personal data to a third country is solely allowed if such third country is considered to ensure an adecute level of protection. The EU Commission enacted the 26 July 2000 Decision by which it was declared that the US ensured an adequate level of protection if transfer of personal data was conducted under the requirements of the so-called “Safe Harbour scheme”.
The EU Court of Justice (CJ) in a recent judgement (October 6, 2015) has declared the Safe Harbour Decision invalid leaving thousands of US companies, that rely on the Safe Habor rule for the transfer of personal data, without legal basis to conduct such transfers. This situation has triggered the reaction of the Data protection authorities in the EU to discuss consequences of the judgement. The Judgement resulted from a complaint filed by an Austrain citizen as a result of the controversial US government surveillance activities concerning personal data of EU citizens.
What are the options to be applied to avoid potential penalties from EU supervisory authorities?
The options for the transfer of data from EU to the US could be the following considering the specific circunstances of the case:
(i) To put in place Standard Model Clauses. The standard model clauses are standard agreements approved by the EU and used for the transfer of data from a exporter located in the EU to an importer located in a country that the EU considers does not offer adequate protection, such us, in this case, will be the United States after the Safe Harbour being declared invalid. However, these Standard Model Clauses do not state that public authorities are subject to the same, which could lead - considering the grounds of the Judgement - to the these type of clauses being declared invalid. Despite of this, this option seems to be feasible in expectation of the filing of the corresponding procedures seeking to invalidate the standard model clauses which may take some time.
(ii) Use the derogations under the Directive, which allow transfer to third countries that does not ensure adequate level of protection. Article 26 (i) of the EU Directive provides for such set of derogations which are listed below:
(a) the data subject has given his consent unambiguously to the proposed transfer; or
(b) the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of precontractual measures taken in response to the data subject's request; or
(c) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and a third party; or
(d) the transfer is necessary or legally required on important public interest grounds, or for the establishment, exercise or defence of legal claims; or
(e) the transfer is necessary in order to protect the vital interests of the data subject; or
(f) the transfer is made from a register which according to laws or regulations is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate legitimate interest, to the extent that the conditions laid down in law for consultation are fulfilled in the particular case.
Why LexLey Worldwide does not fully agree with the CJ´s Judgement? This is why we support otherwise:
EU legislation and the Safe Harbour rule provide with the legal basis and rights that the CJ indicates are denied to the individuals. In fact, under the safe harbour rule, individuals have several options. If the individuals know which US organisation is holding their data and they detect a problem, they can address themselves directly to that organisation, which is obliged when joining the "safe harbor" rules to identify a point of contact. The organisation is also obliged to identify clearly the dispute resolution body to which individuals can turn. Individuals can also and in all likelihood will often turn to their national or regional data protection Commissioner, or perhaps the company (Irish subsidiary) that has exported the data. The latter (as data controller) will be able to help put individuals in touch with the complaint handling department of the US company itself, or with the independent dispute resolution body, by consulting the "safe harbor" list. Moreover, under the Safe Harbour Rule and EU Legislation the inviduals are granted the right to up-out and the right of access, rectification and cancellation in regards to its personal data. Therefore individuals have means of redress enabling, in regards to the data that belong to them, to be accessed or erased.
EU authorities retain powers to intervene in certain cases and are provided with the right to suspend transfers. For example, if evidence of non-compliance accumulates and the relevant US enforcement body is not doing its job properly and if letting transfers continue risks causing grave harm to data subjects, EU authorities can suspend transfers. The Commission could subsequently change the "safe harbor" decision to exclude an ineffective US enforcement body. Therefore, the judgement could be considered excessive in view of the available options.
From our perspective, the judgement had to interpret (i) how the national security, public interests and law enforcement exceptions apply in case of transfers of EU personal data to a third country, and (ii) how the restrictions in the exercise of an individual´s rights under the Safe Harbour scheme operate in those circunstances. The Court judgement declaring invalid the safe harbour scheme invalid may seek to gain bargaining power in the on-going negotiations concerning the protection of data in case of cross-border transfers.