Category: Safe Harbor
18. December 2020
The data transfer agreements between the EU and the USA, namely Safe Harbor and its successor Privacy Shield, have suffered a hard fate for years. Both have been declared invalid by the European Court of Justice (CJEU) in the course of proceedings initiated by Austrian lawyer and privacy activist Max Schrems against Facebook. In either case, the court came to the conclusion that the agreements did not meet the requirements to guarantee equivalent data protection standards and thus violated Europeans’ fundamental rights due to data transfer to US law enforcement agencies enabled by US surveillance laws.
The judgement marking the end of the EU-US Privacy Shield (“Schrems II”) has a huge impact on EU companies doing business with the USA, which are now expected to rely on Standard Contractual Clauses (SCCs). However, the CJEU tightened the requirements for the SCCs. When using them in the future, companies have to determine whether there is an adequate level of data protection in the third country. Therefore, in particular cases, there may need to be taken additional measures to ensure a level of protection that is essentially the same as in the EU.
Despite this, companies were hoping for a new transatlantic data transfer pact. Though, the European Data Protection Supervisor (EDPS) Wojciech Wiewiórowski expressed doubts on an agreement in the near future:
I don’t expect a new solution instead of Privacy Shield in the space of weeks, and probably not even months, and so we have to be ready that the system without a Privacy Shield like solution will last for a while.
He justified his skepticism with the incoming Biden administration, since it may have other priorities than possible changes in the American national security laws. An agreement upon a new data transfer mechanism would admittedly depend on leveling US national security laws with EU fundamental rights.
With that in mind, the EU does not remain inactive. It is also trying to devise different ways to maintain its data transfers with the rest of the world. In this regard, the EDPS appreciated European Commission’s proposed revisions to SCCs, which take into consideration the provisions laid down in CJEU’s judgement “Schrems II”.
The proposed Standard Contractual Clauses look very promising and they are already introducing many thoughts given by the data protection authorities.
19. December 2019
Today, Thursday 19 of December, the European Court of Justice’s (CJEU) Advocate General Henrik Saugmandsgaard Øe released his opinion on the validity of Standard Contractual Clauses (SCCs) in cases of personal data transfers to processors situated in third countries.
The background of the case, on which the opinion builds on, originates in the proceedings initiated by Mr. Maximillian Schrems, where he stepped up against Facebook’s business practice of transferring the personal data of its European subscribers to servers located in the United States. The case (Schrems I) led the CJEU on October 6, 2015, to invalidate the Safe Harbor arrangement, which up to that point governed data transfers between the EU and the U.S.A.
Following the ruling, Mr. Schrems decided to challenge the transfers performed on the basis of the EU SCCs, the alternative mechanism Facebook has chosen to rely on to legitimize its EU-U.S. data flows, on the basis of similar arguments to those raised in the Schrems I case. The Irish DPA brought proceedings before the Irish High Court, which referred 11 questions to the CJEU for a preliminary ruling, the Schrems II case.
In the newly published opinion, the Advocate General validates the established SCCs in case of a commercial transfer, despite the possibility of public authorities in the third country processing the personal data for national security reasons. Furthermore, the Advocate General states that the continuity of the high level of protection is not only guaranteed by the adequacy decision of the court, but just as well by the contractual safeguards which the exporter has in place that need to match that level of protection. Therefore, the SCCs represent a general mechanism applicable to transfers, no matter the third country and its adequacy of protection. In addition, and in light of the Charter, there is an obligation for the controller as well as the supervisory authority to suspend any third country transfer if, because of a conflict between the SCCs and the laws in the third country, the SCCs cannot be complied with.
In the end, the Advocate General also clarified that the EU-U.S. Privacy Shield decision of 12 July 2016 is not part of the current proceedings, since those only cover the SCCs under Decision 2010/87, taking the questions of the validity of the Privacy Shield off the table.
While the Advocate General’s opinion is not binding, it represents the suggestion of a legal solution for cases for which the CJEU is responsible. However, the CJEU’s decision on the matter is not expected until early 2020, setting the curiosity on the outcome of the case high.
21. March 2018
A trading deal between two companies often includes a high number of coincidentally transferred personal data. From the 25th May 2018 on the new GDPR regulates the data flow in the European Economic Area (EEA) that consists of all the members of the European Union, Iceland, Liechtenstein and Norway. The future status of Great Britain will be primarily the status of a third country.
Otherwise, business relationships to companies from non-EU or EEA States (like the USA, China, …) cannot guarantee the data protection standard of the GDPR automatically. Especially since the overruling of the “safe-harbour” agreement of the EU with the USA by the European Court of Justice (ECJ), every company that transfers data over the Atlantic is obligated to fulfil the data protection by itself. The European Commission (EC) recommends in its communication from the 10th January 2017 the use of so-called standard contractual clauses (SCC) or binding corporate rules (BCR), when an EU-based company transfers personal data to a non-EU based company or non-EU based entity of its corporate group.
This has a wide impact to the daily trade deals that are made all over Europe with third country companies. The EU recommends the data protection going hand in hand with the trading deals, to ensure the relatively high data protection level, which is based on Article 8 of the Charter of Fundamental Rights of the European Union. Especially until the ePrivacy-Regulation of the EU is not in force, every company has to ensure the standard of the GDPR by implementing a privacy policy, in which transfers of data to a third country has to be mentioned.
In conclusion, a company that trades with third country companies needs to enter a special data protection contract with the trading partner and needs to inform its clients by its privacy policy.
11. December 2017
The Working Party 29 (WP29), an independent European advisory body on data protection and privacy, has evaluated the Privacy Shield agreement (framework for transatlantic exchanges of personal data for commercial purposes between the European Union and the United States, see also our report on One year of Privacy Shield).
In its joint review, the WP29 focusses on the assessment of commercial aspects and governmental access to personal data for national security purposes.
Though acknowledging progress, the WP29 still finds unresolved issues on both sides.
It criticizes the lack of guidance and clear information on the principles of the Privacy Shield, especially with regards to onward transfers, the rights of the data subject and remedies.
The US authorities are further requested to clearly distinguish the status of data processors from that of data controllers.
Another important issue to be tackled is the handling of Human Resource (HR) data and the rules governing automated-decision making and profiling.
Also, the process of self-certification for companies requires improvement.
In terms of access by public authorities, the WP 29 concludes that the US government has made effort to become more transparent.
However, some of the main concerns still are to be resolved by May 25th, 2018.
The WP 29 calls for further evidence or legally binding commitments to confirm non-discrimination and the fact that authorities don’t get access on a generalized basis to data transferred to the USA from the EU.
Aside from these matters, an Ombudsperson still needs to be appointed and her/his exact powers need to be specified. According to the WP 29, the existing powers to remedy non-compliance are not sufficient.
In case no remedy is brought to these concerns in the given time frames, the members of WP29 will take appropriate action, including bringing the Privacy Shield Adequacy decision to national courts for them to make a reference to the Court of Justice of the European Union (CJEU) for a preliminary ruling.
6. March 2017
Vera Jourová, the European Union’s justice commissioner, is willing to suspend Privacy Shield in case the Trump administration budges from the result of the negotiation between the Obama administration and the European Union.
The Privacy Shield pact was meant to replace the Safe Harbor decision of the European Commission that was overturned in October 2015 by the European Court of Justice (ECJ). The pact’s purpose is to enable the transfer of EU citizens’ personal data to the US while ensuring the protection of those data.
Concerns about the effectiveness of the Privacy Shield came up as President Trump passed an executive order in January 2017 saying “agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.”
Although the US Department of Justice already affirmed the US’s commitment to the Privacy Shield, Jourová stays sceptical and wants to keep an eye on the US government’s stance. In case EU citizens’ personal data are not safe in the US Jourová will not hesitate to suspend the pact.
7. June 2016
The Data Protection Authority of Hamburg just announced in a press statement that it checked the data transfers of 35 international organizations that are based in Hamburg.
After the judgment declaring the former Safe Harbor Framework by the European Commission invalid in October 2015 by the European Court of Justice, the DPA contacted organizations in Hamburg operating also in the U.S. and reviewed the transfer of personal data to the U.S. in order to determine whether other instruments are used than the Safe Harbor Framework. According to the mentioned press statement, the review has revelied that the majority of the companies had changed the legal basis of their transfers of data by implementing standard contractual clauses (SCC).
However, according to a report by Spiegel Online, there were three companies that did not change their legal basis for data transfer. Therefore, the three companies were fined:
Adobe (8.000 Euros), Punica (9.000 Euros) and Unilever (11.000 Euros)
As all three companies have changed the legal basis for data transfering during the proceeding, the DPA imposed a fine that was significantly smaller than the maximum of 300.000 Euros.
1. June 2016
The European Parliament approved a resolution concerning the European Commission reopening negotiations with US authorities on the EU-US Privacy Shield last week. Furthermore, the resolution intends to implement the recommendations of the Article 29 Working Party on the draft Privacy Shield adequacy decision.
The resolution that was approved by the majority of members of the European Parliament says that the executive still needs to improve the data transfer deal allowing US authorities to collect EU citizens’ data.
Although the Parliament’s opinion is not binding, it builds up pressure on the Commission in order to increase the level of data protection in the much discussed agreement.
After the Safe Harbour agreement was declared invalid last October due to the fact that it did not protect European citizens’ data once they were sent to the USA, the executive is now behind schedule as EU Justice Commissioner Vera Jourova and Digital Commissioner Günther Oettinger initially stated that the new agreement should go into effect by the end of June. However, in order for that to happen a group of diplomats from European member states have to sign their approval first. Nevertheless, although the diplomats were expected to vote on the Privacy Shield last week, they delayed their final decision as they scheduled new meetings up until the end of June.
Generally, the Commission has already finished the negotiations concerning the Privacy Shield with US authorities, though clarification on some points is needed. Commission spokesman Christian Wigand described the clarifications as realistic changes and not a drastic renegotiation of the agreement.
However, the Parliament’s resolution intends to take criticism from national privacy protectors of the European member states “fully” into account.
4. February 2016
After the Press Conference held by Věra Jourová and Andrus Ansip from the European Commission about the proposal for a new agreement between EU and U.S. to carry out international data transfers, the WP29 met on the 2-3 February in order to discuss the consequences of the sentence from the ECJ and the future of international data transfers between EU and the U.S.
The WP29 has remarked that the following four guarantees should be ensured when international data transfers take place:
a) Transparency: the data subject whose data is processed should be informed so that he/she is able to foreseen the consequences of the data transfer.
b) Proportionality and necessity: the finality for which personal data is collected and accessed and the rights of the data subject should be balanced.
c) Independency of a control body that carries out checks in an effective and impartial manner.
d) Effective remedies: the individual should have the possibility to defend his/her rights before an independent body.
The WP29 will also analyze the existing mechanisms to carry out international data transfers, which currently can only take place if Standard Contractual Clauses or Binding Corporate Rules (BCR) are used. In any case, European DPAs will examine data transfers on a case-by-case basis.
However, the WP29 is still looking forward to receive the relevant documents related to the EU – U.S. Privacy Shield in order to analyze its content and to determine to which extent the agreement is legally binding.
If you would like to be updated on a regular basis on this and other data protection issues such as the General Data Protection Directive (GDPR), sign in for one of our newsletters:
German / European Data Protection http://www.datenschutzticker.de/newsletter/ (German Language)
International Data Protection http://www.privacy-ticker.com/newsletter/ (English language)
For how to proceed with your companies´ policies on internal or external data protection transfers to third countries and prepare for the GDPR seek individual advice.
3. February 2016
After continuous negotiations during the last months to agree on a new framework for international data transfers, since the ECJ invalidated the Safe Harbor Decision, Andrus Ansip (EU Commission Vice-President) and Věra Jourová (Commissioner) announced yesterday in a Press Conference that a new agreement (EU – U.S. Privacy Shield) to carry out international data transfers has been reached.
Under the EU – U.S. Privacy Shield, the following elements will be regulated:
- Several redress possibilities will be guaranteed to EU citizens when data transfers to U.S. take place and companies, as first redress possibility, will have deadlines to resolve complaints.
- The resolution includes a “multi-layered” approach in order to avoid that any complaints remain unresolved by offering different resolution mechanisms. Also the European DPAs will have the possibility to refer complaints to the U.S. Department of Commerce and to the Federal Trade Commission.
- Companies will be subject to strong obligations regarding the processing of personal data imported from EU Member States. Particularly, personal data processed for HR purposes in the U.S. will have to comply with the decisions of EU DPAs.
- It will be ensured that national authorities only have access to personal data from EU citizens in exceptional cases and subject to the principles of necessity and proportionality.
- The figure of the “ombudsman” will be created, in order to make possible that EU citizens can complain regarding surveillance activities by national authorities.
This new framework should be reviewed in an annual basis, so that the rights of EU citizens regarding data protection are continuously ensured. This is an important step forward in comparison with the invalidated Safe Harbor Decision.
Although the main points of this agreement have been discussed, the written draft may take up to three months, as Commissioner Věra Jourová said. The Working Party 29 will advise the College of Commissioners on this issue before adopting the official decision. Additionally, the agreement will have to withstand scrutiny from the ECJ.
2. February 2016
European officials and the U.S. agreed today on a new safe harbor agreement. The EU Article 29 Working Group had set a deadline until the end of January 2016 to find an alternative agreement, which was missed. The agreement still needs to be approved by the 28 member states. Further information on the new safe harbor agreement is expected after the EU Article 29 Working Group meeting, which is supposed to take place today and tomorrow.
