In the aftermath of the Shrems decision and formal recognition by the EU Court of Justice (CJEU) that the Safe Harbor scheme was not fit for purpose, many of our clients are left wondering – how can we continue to engage with our US service providers and clients?
There are several strands of activity looking for a solution to this conundrum.
If reports are to be believed, the good people in Brussels are working closely with the US Dept of Commerce and the Federal Trade Commission (essentially, the ‘owners’ with responsibility for Safe Harbor) to find a new arrangement. By all accounts, this new solution (let’s call it "Protected Bay", for now) will re-establish the principles by which EU citizens’ data will be processed within the US. It will also allow EU authorities, primarily the national Commissioners, to have more involvement in enforcing the scheme, and in monitoring and verifying compliance, something that was completely lacking with Safe Harbor.
The CJEU has indicated a deadline of end-January, 2016 by which some acceptable solution must be in place.
In parallel, some national Commissioners have already published their positions with regard to the ongoing transfer of personal data to the US, while Safe Harbor remains ‘broken’ (in dry-dock?). Just this morning, the Portuguese Commissioner issued a warning that their office will only provide ‘interim’ or temporary approval for transfers of Portuguese citizens’ data to companies in the US, and that their preference would be for such data to remain on servers stored within Portugal.
The combined might of the German state DP Commissioners, who can normally agree on anything, issued a joint position paper last week with their take on things. Not only did they display a generous dollop of ‘Schadenfreude’ with regard to Safe Harbor (our version of ‘we told you so’) – they also dismissed the two alternative arrangements which many thought would cover us in the interim – namely the Model Clauses and the Binding Corporate Rules arrangements.
Essentially, the Germans are saying that, without a US commitment to recognise the validity of EU courts, any such arrangement would be toothless and therefore pointless.
For that reason, they have taken a position that any transfer of personal data of which they become aware, and which relies solely on Safe Harbor to justify it, will not be approved. They have effectively told German data controllers that they are on their own, and that they must avail of 2014 guidance, issued by the joint Commissioners, in relation to management of overseas transfers in the Cloud environment. In such guidelines, individual consent for the transfer of personal data outside of the European zone remains the primary, and in some cases, the sole justification available.
To date, our own Commissioner’s Office in Portarlington is ‘maintaining a watching brief’, apparently until such time as they have had the opportunity to absorb the implications of the Schrems judgement, and to see which way the wind blows.
In the meantime, the best advice seems to be:
If at all possible, keep Irish and EU-sourced data stored within the EU region;
Where necessary, agree specific contract terms to cover the processing of personal data by US firms, and under such terms, recognise the primacy of the Irish courts in resolving any dispute; and
Where possible, provide a clear notice to your data subjects that their data is being processed in this way – not necessarily for their consent, but at least for their information.
We will, of course, try to keep abreast of developments, and will post regular updates on the PrivacyEngine blog. If you have any concerns regarding your plans for overseas transfer of personal data, don’t hesitate to get in touch directly, or through the PrivacyEngine query facility at