On November 6, 2015, the European Commission released a widely-anticipated Communication assessing the impact of the judgment of the European Court of Justice (“ECJ”) in the Schrems case (C-362/14), which invalidated the U.S.-EU Safe Harbor framework. Though the Communication is not legally binding, it provides useful guidance to companies on transfers of personal data to the United States in the absence of the Safe Harbor mechanism.
The Commission’s Communication is consistent with analysis and approach outlined by the European data protection authorities (“DPA”) in their October 16 statement on Schrems. It clarifies the following:
- Safe Harbor 2.0: The Commission hopes to reach an agreement the U.S. government within the next three months on a new Safe Harbor framework that will provide for sufficient safeguards and judicial control mechanisms for the protection of the personal data of EU citizens. Such safeguards and mechanisms must address, in particular, possible access to personal data by U.S. public authorities for law enforcement and national security purposes.
- Alternative transfer mechanisms: In the meantime, companies may rely on the Commission’s Model Contracts or on BCRs for large or structural transfers of personal data to the U.S, and the national DPAs may not refuse such transfers solely on the grounds that the Model Contracts do not offer sufficient safeguards. Instead, where there are doubts as to adequacy, DPAs should bring a case before the national courts, which in turn may make a request for a preliminary ruling to the ECJ. For intra-group transfers, companies with affiliates located outside the EU may consider the use of BCRs.
- Reliance on derogations: The Commission advises that, in limited circumstances, companies may transfer personal data based upon one of the derogations provided for in the Data Protection Directive. For example, transfers that are necessary for the performance of a contract are valid provided that individuals have directly requested a specific service (e.g., in the context of making a hotel reservation or for bank transfers); secondary uses of that data (e.g., for marketing purposes) would be invalid. Furthermore, transfers of personal data may be made where necessary for the establishment, exercise or defense of a legal claim. This derogation may be used in the context of e-discovery procedures, subject to compliance with international rules on cooperation in criminal or civil proceedings. Finally, transfers may also be based upon an individual’s consent, provided the individual is informed about the country to which their data is transferred and under which conditions (purpose, identity and details of the recipients). The Commission takes note of the Article 29 Working Party’s view that consent is unlikely to provide an adequate long-term basis for large-scale “structural” transfers of personal data.
- Other adequacy findings: The Communication announces that the Commission will revise its adequacy decisions which recognizes that certain countries (e.g., Argentina, Canada, Israel, Switzerland) provide sufficient guarantees for the transfer of personal data. Since these adequacy decisions place limitations on the investigatory powers of DPAs that are similar to the provisions the ECJ invalidated in Schrems, those limitations must be removed according to the Commission.
The Communication highlights that companies must cooperate with the DPAs since the DPAs are “the main enforcers of the fundamental rights of data subjects.” In this connection, it should be noted that the DPAs in some Member States, such as Spain and the Czech Republic, have begun to issue formal warnings that companies must have alternative mechanisms in place for transfers that were formerly based on Safe Harbor.