The European Commission has reiterated its wish for a swift agreement on a new Safe Harbor agreement. It has urged U.S. authorities to take the next step in on-going negotiations. Meanwhile, the EC has published guidelines for alternative methods for transatlantic data flows.
The EC hopes to reach a deal with the U.S. on Safe Harbor 2.0 by January 2016. Speaking at a press conference in Brussels, Vĕra Jourová, European Commissioner for Justice and Consumers said, “it is now for the U.S. to come back with their answers.”
Talks on a new agreement have been in progress for several years, but the urgency for an updated framework has been accelerated by the Schrems ruling by the European Court of Justice (CJEU) that Safe Harbor, a simple mechanism whereby companies could transfer data, is invalid. The ruling in Schrems found Safe Harbor does not provide legal safeguards concerning data transfers.
The EC has sought to reassure more than 4,400 firms who relied on Safe Harbor that transatlantic transfers can continue. In their guidance document the Commission details two options under which firms may still pursue data transfers; Standard Contract Clauses (SCCs – also known as Model Clauses / Model Contracts) and Binding Corporate Rules (BCRs).
With the aim of facilitating international data transfer the Commission has approved four sets of SCCs. In brief, two of these relate to transfers between controllers and the others concern transfers between a controller and processor acting under its instruction. For further information click HERE
In addition to SCCs, companies can rely on ad hoc contractual arrangements, providing they are approved on a case-by-case basis by the relevant Data Protection Authorities (DPAs).
The Commission advises multinational companies who need to transfer personal data from the EU to various entities of a corporate group outside the EU, to adopt BCRs. BCRs are a tool which can ensure compliance with the transfer requirements under Article 26(2) of the EU Data Protection Directive (Directive 95/46/EC). Data transfers on the basis of BCRs, under laws in most EU member states, must be authorised by the DPAs in each member state from which the company intends to transfer data.
“Whatever they choose, they must be able to prove that the protection is in place, that they guarantee the protection of data transferred to the U.S. This is especially a challenge for SMEs,” said Vĕra Jourová.
Companies can in certain cases rely on one of the derogations set out in Article 26 (1) of Directive 95/46/EC. These include unambiguous consent, necessity for the performance of a contract, legally required on grounds of public interest etc.
Critics have been quick to attack the EC’s guidance saying the alternatives are unworkable. Experts say BCRs are too costly and take too long to implement. Model Clauses are criticised for being too complex to execute and for being mistrusted by some privacy regulators.
Meanwhile it’s feared Safe Harbor 2.0 may fail to resolve the questions raised by the CJEU and that only wholesale reform of U.S. law will provide the guarantees EU law requires. Vice President of the European Commission, Andrus Ansip, has acknowledged this concern: “it’s up to lawyers to say exactly what will be needed. A legally binding administrative decision will be needed to make this Safe Harbor 2.0 bulletproof.”
What is clear, whatever the proposed solution, is that Safe Harbor’s replacement will need to stand up to intense scrutiny by the EU’s highest court.
Published November 2015
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.