Most privacy professionals are familiar with the European Court of Justice’s 2015 Schrems decision, which struck down the US-EU Safe Harbor mechanism. One lesser-discussed aspect of the ECJ’s decision related to the powers of Data Protection Authorities (DPAs) within the EU’s Member States. In the Schrems proceedings, the Irish Data Protection Commission argued that it had no authority to suspend or restrict transfers based on Safe Harbor because Safe Harbor was a decision by the EU Commission. The ECJ rejected this argument, holding that the Commission cannot restrict DPAs’ ability to suspend or restrict transfers to third countries in individual cases where they find that adequate protection is not present. (A copy of the Schrems judgment can be downloaded here.)
This aspect of the ECJ’s Schrems decision casts into doubt several provisions contained in further Commission decisions underlying (a) Model Clauses and (b) country-specific adequacy decisions (also referred to as “whitelisting” decisions). Each of these decisions enumerated limited conditions under which Member State DPAs could restrict or suspend data transfers to a third country made on these bases. Given that the ECJ’s Schrems decision indicated the Commission could not limit DPAs’ authority in this fashion, there was speculation that Model Clauses and existing adequacy decisions would need to be updated to comply with the change in law.
EU institutions have set the process for changing these decisions in motion. On October 3, 2016, the Article 31 Committee met to discuss draft amendments to the Commission decisions underlying (a) Model Clauses and (b) country-specific adequacy decisions. The Committee tabled any action because certain countries “were not yet ready to take a decision and asked to be given more time,” and did not release the draft amendments to the decisions.
On November 15, however, the Article 31 Committee reconvened, and approved the draft updates to (a) the Commission decision underlying Model Clauses; and (b) country-specific adequacy decisions. The following briefly summarizes the changes to these decisions:
1. Model Clauses
Non-EU companies that conclude contracts incorporating Model Clauses are in principle allowed to receive EU data from their EU contractual partners. Presently, Article 4 of the Commission decisions on both C2C and C2P Model Clauses permits DPAs to restrict or suspend transfers to a third country that are based on Model Clauses if:
(a) the third country’s law requires the data importer to derogate from data protection law “beyond the restrictions necessary in a democratic society,” and is likely to have a “substantial adverse effect” on privacy guarantees;
(b) the DPA determines the data importer “has not respected” the Model Clauses; or
(c) there is a substantial likelihood the Model Clauses are not being complied with, creating an “imminent risk of grave harm” to EU data subjects.
Additionally, the present Article 4 requires DPAs to lift any “prohibition or suspension” on transfers “as soon as the reasons for the prohibition or suspension no longer exist.”
The Article 31 Committee’s changes to Article 4 eliminate these requirements. The Amended Article 4 now permits DPAs to “exercise their powers . . . leading to the suspension or definitive ban of data flows to third countries” as long as they “inform the Commission” of their actions “without delay.”
2. Country Whitelisting Decisions
Presently, the Commission has issued 11 so-called “whitelisting” decisions determining that specific non-EU countries offer adequate protection to EU data transferred there. (Andorra, Argentina, Canada, the Faroe Islands, Guernsey, Israel, the Isle of Man, Jersey, New Zealand, Switzerland, and Uruguay are deemed to provide adequate protection.) The Commission’s decisions permit EU companies to transfer data to recipients in these whitelisted countries without having to install other transfer mechanisms, such as Model Clauses or Binding Corporate Rules.
At present, Article 3 of Commission whitelisting decisions generally permits DPAs to restrict or suspend transfers to a whitelisted country only if:
(a) the DPA determines the data recipient is in breach of the “applicable standards of protection;” or
(b) there is a “substantial likelihood” that privacy standards are being infringed, creating an “imminent risk of grave harm” to EU data subjects, while (i) the DPA has grounds to believe local third-country authorities will not resolve the issue, and (ii) the DPA has provided the data recipient with notice and an opportunity to be heard.
Moreover, the DPA must lift any suspension “as soon as the standards of protection are assured.”
The Article 31 Commission has now approved an Amended Article 3, which permits DPAs to “exercise their powers . . . leading to the suspension or definitive ban of data flows” to the whitelisted country, as long as they notify the Commission without delay. Additionally, the Article 31 Commission has added a new Article 3a to existing whitelisting decisions. The new Article 3a sets up a continuous monitoring and information-exchange regime between the Commission and Member State DPAs, including:
- The Commission will monitor “developments in [the third-country] legal order” on an ongoing basis to ensure that data protection remains adequate;
- DPAs and the Commission are obligated to inform each other of instances where third-party data-protection authorities fail to ensure proper protection;
- DPAs and the Commission are obligated to inform each other of any “indications” that “public authorities responsible for national security” or “law enforcement” interfere with privacy rights in a manner “beyond what is strictly necessary” – or where there is “no effective legal protection” against such interference; and
- If the Commission determines that “an adequate level of protection is no longer ensured” in the third country, it “shall” (a) notify third-country authorities and (b) “if necessary,” propose draft repealing or suspension measures.
The good news for companies is that the Article 31 Committee’s amendments do not appear to change the substance of either (a) Model Clauses, or (b) existing country-specific adequacy decisions. This means companies will not have to change their existing transfer policies, procedures, or existing contracts. Not having to amend intercompany agreements, or re-negotiate vendor agreements, should be welcome news for many companies.
Instead, the Article 31 Committee’s updates strengthen European DPAs’ ability to enforce the already-present privacy requirements in Model Clauses and Commission whitelisting decisions. Such increased DPA authority complements the substantial powers granted to DPAs under the EU General Data Protection Regulation (GDPR), which will enter into force in May 2018. Many companies are already preparing for a more robust enforcement environment upon the GDPR’s entry into force. The amendments to Model Clause and Commission whitelisting decisions indicate that the anticipated heightened enforcement environment will apply to all transfer mechanisms – and that European DPAs will keep each other informed about enforcement actions they undertake.
Lastly, the Article 31 Committee’s inclusion of provisions requiring DPAs to monitor national-security and law-enforcement information requests in all whitelisted countries would appear to be aimed at allaying criticisms that US public-sector requests were receiving scrutiny that was not being applied to other countries’ practices.
* * * * *
Alston & Bird is closely following amendments to Model Clauses and Commission whitelisting decisions, and is assisting companies in installing global data-transfer strategies fitted to heightened GDPR requirements and enforcement risks. For more information, contact Jim Harvey or David Keating.