On October 6, 2015, the Court of Justice of the European Union ("CJEU") invalidated a decision by the European Commission that recognized the adequacy of a self-certification scheme for United Statesbased companies for the purpose of allowing businesses to transfer personal data from the European Union to the U.S. (Case C-362/14). The invalidated European Commission decision is one of only 12 adequacy decisions adopted by the European Commission, and is generally known as Safe Harbor.
We sent an earlier eAlert on the CJEU judgment in the Schrems case in October.
As a result of the Schrems judgment, businesses may no longer transfer personal data from the European Union to the United States relying on the EU Safe Harbor decision. On November 6, the European Commission issued a Communication to the European Parliament. The Communication followed on the heels of a number of public statements by the European Commission, the Article 29 Data Protection Working Party, which is comprised of the data protection agencies of all the European member states, the U.S. Secretary of Commerce, and by an increasingly discordant number of national and local data protection agencies in the European Union, which were prompted by the Schrems judgment.
In its Communication, the European Commission reasserted its desire to negotiate a new framework for transatlantic data transfers of personal data with the United States. This would allow the European Commission to adopt a new safe harbor decision after finding that the U.S. may adequately protect personal data where U.S. data importers adhere to the new framework negotiated by the United States and the European Commission. The Commission hopes to conclude the discussions with the United States and achieve its objective within three months.
In the meantime, the European Commission invites businesses transferring personal data from the European Union to the United States to cooperate with the national data protection agencies in the European Union, while the European Commission works with the Article 29 Data Protection Working Group to ensure a uniform application of European data protection law. The adequacy of the data protection measures put into place by businesses would thus be controlled by the national and local data protection agencies in the European Union.
The Role of National Data Protection Agencies in the EU
Of practical importance is the European Commission's insistence that the national data protection agencies have the power to investigate and enforce European data protection rules, and that they will continue to be able to do so even if and when the European Commission reaches an agreement with the U.S. on a new framework for transatlantic data transfers of personal data and issues a new adequacy decision for the United States.
If and when the European Commission were to adopt a new safe harbor decision, the principal limitation of the various data protection agencies' power would be that in order to act against a violation of a personal data right by a business transferring such personal data to the United States, the local or national data protection agency would first have to take the issue to court and the court would have to ask the CJEU, which has exclusive jurisdiction to invalidate a European Commission decision, to declare the new safe harbor decision invalid.
According to both the European Commission and the Article 29 Data Protection Working Party, until a new safe harbor decision is issued by the European Commission, it is up to businesses transferring personal data from the European Union to the United States to mitigate possible legal risks, by putting into place standard contract clauses or binding corporate rules between the businesses transferring the data.
Standard contract clauses as approved by the European Commission must be used unchanged. They are in principle binding on national authorities such as the various national data protection agencies. Using such clauses does not require prior authorization from the national data protection agencies in most EU member states. Where a member state requires notification and/or preauthorization, the authorization is in principle automatically granted once the data protection agency has verified that no changes have been made to the standard contractual clauses.
Further Scrutiny of Standard Contractual Clauses and Corporate Rules
Both the standard contractual clauses and the binding corporate rules solutions are subject to further scrutiny as to their adequacy by the Article 29 Data Protection Working Party, which has stated publicly that it is reviewing these, and by the various national data protection agencies. A number of these data protection agencies, notably in Germany, have already stated publicly that they do not consider standard contract clauses or binding corporate rules to provide for an adequate level of protection, allowing the transfer of personal data to the United States, and that they will not approve new binding corporate rules pending the deadline set by the European Commission to negotiate a new safe harbor.
In this context, the recent CJEU judgment in the Weltimmo case (Case C-230/14) widened the definition of establishment, for the purpose of being subject to the data protection laws in a European Union member state, to cover any real and effective activity -- even a minimal one -- exercised in that member state through stable arrangements.
This decision effectively erodes the one-stop-shop approach of a single national data protection agency supervising all the personal data transfer activity of a business from the European Union to the United States. Under the Weltimmo judgment, where a business regularly addresses the public in any given member state, it will from now on likely be subject to that member state's data protection agency's supervision as well.
Other solutions based on exemptions from the blanket prohibition of transfers of personal data to countries that the European Union considers do not provide adequate levels of protection of personal data (this includes all but 11 of the countries in the world) have already been interpreted so narrowly, notably by the Article 29 Data Protection Working Party, that they could at best only justify transfers in highly specific situations.
The Situation Continues to Evolve
At present, we recommend as good practice that companies ensure that all of their data processing and transfers in and from the European Union are covered by standard contractual clauses or approved binding corporate rules, and are adequately documented, before the looming deadline at the end of January 2016, at which date investigation and enforcement actions by national data protection agencies, sometimes under the pressure of class actions, appear likely.
We will continue to monitor and report on developments regarding the transfer of personal data from the European Union to the United States, in transactional settings and also in litigation, which an area where the requirements of e-discovery rules and practice create particular issues and conflicts with EU data protection laws, and to advise on and implement solutions.