After Safe Harbor: what to do next to remain compliant? (October 2015)

In our recent Flash News, we reported that on October 6, the CJEU handed down its judgment in Schrems v. Data Protection Commissioner declaring Safe Harbor, a widely used legal instrument allowing for transfers of personal data from the EU to U.S. organizations that have self-certified their compliance with the Safe Harbor Privacy Principles, invalid.

Technically, as of the date of the decision, all transfers of personal data to the U.S. became unlawful. Many businesses have relied solely on Safe Harbor are thus facing a significant challenge to legitimize their trans-Atlantic personal data transfers in the legal void created by CJEU’s decision.

The recommended course of action for businesses is as follows:

  1. An internal assessment of personal data transfers should be the first step. It will help companies identify personal data that are critical to their business and the transfers of which need to be prioritized. It is advisable to minimize non-critical personal data transfers.
  2. Revision of existing contracts with U.S.-based service providers is a must. Replacement of the Safe Harbor framework with the European Commission pre-approved Standard Contractual Clauses (SCC) will likely be the least costly and quickest practical solution for most companies. The SCC are suitable for intra-company transfers (e.g. for the transfer of employee or vendor personal data between an EU company and its US mother company) as well as transfers between an EU company and its U.S.-based vendor (e.g. a data center). Before you rush to circulate an addenda with SCC to your U.S. counterpart, you will have to determine which of the two mutations of the SCC is suitable for your data transfer: whether the controller-to-controller set of clauses, or the controller-to-processor clauses (the latter being used widely for any outsourcing of data processing and storage by a U.S. hosting or other service provider). Further, apart from the boilerplate provisions of these model clauses that must remain unchanged if the SCC are to fulfill their purpose, the SCC include appendices that are not boilerplate and that companies will have to review and complete carefully. In these appendices, the parties will have to describe, inter alia, the type(s) of personal data to be transferred and how it will be processed, and the technical and organizational measures that the U.S. ”data importer” will have in place to protect the data to ensure a level of protection that is adequate to the EU standards. In order to correctly implement the SCC, companies will inevitably have to carry out the assessment mentioned ad 1) above.
  3. It is highly advisable to get in touch with the U.S. personal data recipients (data importers) and discuss the security controls and measures they have already in place or are planning to implement. Seek a confirmation from your U.S. based service providers that they will remain Safe Harbor certified as long as the certification is available (note that U.S. authorities recently announced that the Safe Harbor self-certification process will continue to be administered). Safe Harbor, although declared invalid, still encompasses some basic principles that should be adhered to at any time. U.S. companies that have already certified to Safe Harbor principles should thus continue to adhere to this framework, while watching for the anticipated compliance guidance from EU data protection authorities (see below). Further, if you are considering BCR for intra-group transfers (see below), the Safe Harbor principles are a good starting point; you may consider leveraging this existing compliance set-up by transforming the Safe Harbor policies and procedures compliance program into BCR.
  4. For intra-group trans-Atlantic personal data transfers, typically for employee data transfer within a multinational company, a long-term solution may consist in the implementation of Binding Corporate Rules (BCR-C for multinational controllers, BCR-P for transfers to affiliated personal data processors). While this is generally a rather time-consuming and costly process, it has become somewhat easier over the past years as national Data Protection Authorities (DPAs) are becoming more experienced and efficient in coordinating their approval processes. The (hopefully) upcoming General Data Protection Regulation also promises to further simplify the process by creating a one-stop-shop for DPA approval.

When taking any final (and potentially costly and time-consuming) decision, businesses should always bear in mind that even though the CJEU only addressed in its recent decision the deficiencies of Safe Harbor, the reasons for invalidating Safe Harbor, i.e. the breadth of U.S. government surveillance practices, may also be potentially applied to both SCC and BCR, i.e. the Safe Harbor alternatives presented in this article. The data protection commissioner from the German state of Schleswig-Holstein went so far yesterday as to recommend that companies using SCC cancel them with their U.S. partners and perform a complete review of data transfers, consulting with the DPA of Schleswig-Holstein in basically every instance. Fortunately, other European DPAs take a much more cautious approach, indicating that they will not rush to enforce the decision and impose sanctions on the EU transferring companies that had hitherto relied on Safe Harbor (see, for example, the statement made by the UK Information Commissioner’s Office). The national DPAs are meeting now with the European Commission and have promised to issue a compliance guidance; until then, a due diligence consisting in taking prompt steps to reassess data transfer needs and set-ups and to replace the Safe Harbor program should be invoked as a defense against any claims based on personal data transfers under the invalidated Safe Harbor.