We are still following developments in the EU relating to the invalidation of the US-EU Safe Harbor Framework. In case you were on a secluded island during the month of October, you can catch up here.
European Commission Issues Communication. On Friday, the European Commission issued "long-awaited" guidance (called a Communication), which did not shed much new light on the cross-border data transfer issues, but instead rehashes the "alternative transfer tools" available to legitimize data flows to jurisdictions deemed "not adequate," like the United States. More after the jump.
[A]lternative tools authorising data flows can still be used by companies for lawful data transfers to third countries like the United States [while] a renewed and sound framework for transfers of personal data to the United States remains a key priority . . .
Until such time as the renewed transatlantic framework is in place, companies need to rely on the alternative transfer tools available. . . In this regard, the DPAs have a central role to play. As the main enforcers of the fundamental rights of data subjects, the DPAs are both responsible for and empowered to supervise data transfers from the EU to third countries, in full independence. The Commission invites data controllers to cooperate with the DPAs, thereby helping them to effectively carry out their supervisory role.
The DPAs remain competent to examine claims within the meaning of Article 28(4) of Directive 95/46/EC that the data transfer complies with the requirements laid down by the Directive (as interpreted by the Court of Justice), but cannot make a definitive finding. Rather, the member states have to provide for the possibility to bring the case before a national court, which in turn can trigger the jurisdiction of the Court of Justice by way of a request for a preliminary ruling.
Mintz Levin's advice continues to be: analyze your data streams, determine which of the "alternative tools" authorizing the transfer of personal data is most appropriate, and start to implement a plan. The operational deadline to avoid potential enforcement is January 31, 2016.
Spanish DPA Notifies Registered Companies
Also last week, the Spanish data protection authority (the "AEPD") sent letters to all companies operating in Spain that had previously notified the AEPD (as required.....) of cross-border data transfers to companies relying on Safe Harbor. The AEPD implicitly recognizes the "alternative tools" as adequate to justify data transfers to jurisdictions without adequate data protection, provided that:
- Standard contractual clauses remain adequate, but as before, they must be authorized by the AEPD. The authorization process generally takes about three months. [The letter requires that all companies that received the letter to inform the AEPD not later than January 29, 2016 of any mechanisms that have been implemented to ensure adequate protections for personal data transferred to importers in the United States]
- Data transfers remain adequate without authorization from the AEPD if they meet one of the following conditions:
- The transfer is made with the data subject’s unambiguous consent;
- is necessary for the performance of a contract with, or in the interests of, the data subject;
- results from a treaty or convention to which Spain is a party;
- is necessary or legally required to safeguard public interest, provide judicial aid, medical care, or support legal claims;
- is necessary to protect the vital interests of the data subject; or
- is made from a public register.
Regardless of whether a specific mechanism requires authorization, all data transfers require prior notification to the AEPD. This has always been the case under Spain's data protection law, and is not new or the result of the invalidation of Safe Harbor.
The letter also notes that companies that fail to inform the AEPD of the mechanisms used to justify cross-border data transfers may be subject to enforcement actions, which may include monetary fines and the temporary suspension of transfers.
And one last note of interest.....
We're constantly being asked why the Federal Trade Commission and Department of Commerce (DOC) have kept the Safe Harbor process "open for business," as it were. The website is live, renewals are being accepted, and despite the fact that there is no legal basis for the Framework, new applications are being accepted. Proving that you never know what you will find on social media, a former DOC employee who was in charge of the Safe Harbor program at one time posted the following:
Safe Harbor, in this context, only has value to the US business community if it offers prospective and current members legal certainty concerning the rules which govern data flows within the EU that are transferred to or accessed by certified entities. Article 26, the so-called derogations, allows organizations to employ options mentioned in therein, which would allow data to continue to flow to the U.S., comply with the directive, and protect EU citizens.
That the Department of Commerce would continue Safe Harbor sans explanation and not place a moratorium on the program pending the negotiations' resolution and recognition as a bona fide replacement as if nothing is amiss is unethical especially whilst collecting fees for new applicants and renewals that total nearly a half million dollars annually.
[Safe Harbor] existed because of the 2000 adequacy finding. With the finding's abrogation the program's worth is no more than grains of sand.