This Corporate Law Newsletter of the EY Law Corporate Law department is to provide you with concise information on the repercussions of the Schrems-case on current and future EU data transfers to U.S. Safe Harborcertified businesses

1. Background

Pursuant to the EU Data Protection Directive, the transfer to a non-EU country (hereafter referred to as ‘third country’) of personal data which are undergoing processing or are intended for processing after transfer may only take place if the third country in question ensures an adequate level of protection approved by the European Commission . Any transfer of personal data to third countries that does not meet the European Union (EU) “adequacy” standard for privacy protection is prohibited.

Those responsible for the processing have certain possibilities to transfer data to third countries. They can agree on either (i) a model contract with the recipient of the data in the third country, or (ii) implement binding corporate rules, or (iii) in certain cases, rely on the exemptions provided in article 22 of the Act of 8 December 1992 on the protection of the privacy in relation to the processing of personal data (such as consent of the data subject).

As the United States does not have a comprehensive data protection law and the United States does take on a different approach to privacy from that taken by the EU, the U.S. Department of Commerce in consultation with the European Commission developed a “Safe Harbor” framework to bridge the differences in approach and provide a streamlined means for U.S. organizations to comply with the EU Data Protection Directive.

The Safe Harbor Framework consists of a number of Safe Harbor-principles that the European Commission recognized as providing an adequate level of protection (hereafter referred to as the ‘Safe Harbor Decision’) . U.S. organizations wishing to join the Safe Harbor framework can do so through a mechanism of self-certification and self-assessment, and they must publicly declare that they comply with the Safe Harbor principles. Safe Harbor-certified businesses can then legally import personal data from the EU.

2. The Schrems-case in a nutshell: ECJ decision dated 6 October 2015

Mr Maximilian Schrems, an Austrian citizen and Facebook user since 2008, lodged a complaint with the Irish Data Protection Authority concerning the activities of the U.S. intelligence services, in particular the National Security Agency. Facebook Ireland Ltd. transfers the personal data of all its users, including the data provided by Mr Schrems, to its servers in the United States where it is processed. In light of Mr Snowden’s revelations in 2013, Mr Schrems claimed that the law and practice of the United States do not offer sufficient protection against surveillance by the public authorities of the data transferred to that country. The Irish Data Protection Authority rejected the complaint based on the Safe Harbor Decision whereby the European Commission considered that the United States ensures an adequate level of protection of the personal data transferred.

The High Court of Ireland, before which the case was brought, decided to stay the proceedings and to refer the following question to the European Court of Justice for a preliminary ruling: Does the Safe Harbour Decision prevent a national supervisory authority from investigating a complaint alleging that the third country does not ensure an adequate level of protection and, where appropriate, from suspending the contested transfer of data?

The Court of Justice held that the existence of a Commission decision does not prevent oversight by the national supervisory authorities of transfers of personal data to third countries. Thus, a Commission decision cannot eliminate or even reduce the powers available to the national supervisory authorities and said authority must be able to examine, with complete independence, if the transfer of a person’s data to a third country complies with the requirements laid down by the EU Data Protection Directive.

Furthermore, the Court of Justice then went on to investigate whether the Safe Harbor Decision is invalid. The Court first pointed out that it alone has jurisdiction to declare an EU act, such as the Safe Harbor Decision, invalid. After careful consideration, the Court of Justice found that the Safe Harbor Decision is actually invalid. Consequently, the Irish Data Protection Authority is required to examine Mr Schrems’ complaint with all due diligence and must decide whether, pursuant to the EU Data Protection Directive, transfer of the data of Facebook’s European subscribers to the U.S. should be suspended on the ground that the U.S. does not afford an adequate level of protection of personal data.

3. What are the repercussions for current and future data transfers by your business?

As a consequence of the decision of the Court of Justice, businesses relying on the Safe Harbor certification will need to reconsider their transfer strategy and consider alternative mechanisms under which personal data may be legally transferred to a non-adequate third country.

One alternative for a valid transfer of personal data is if the data subject has given his unambiguous consent to the transfer; which consent can be revoked at a later stage.

Another alternative is the so-called binding corporate rules (hereafter referred to as ‘BCRs’). BCRs are binding rules developed mostly by multinationals, such as a code of conduct, and which all entities within a group of companies and employees of the group must comply with. These rules concern the international transfer of personal data within a group. On a European level several working documents exist regarding the content of BCRs. Based on these working documents, the Belgian Privacy Commission and the Federal Department of Justice have agreed a protocol describing the requirements of BCRs. The advantage of BCRs is that one code can be developed for an entire group.

Possibly the fastest means to achieve compliance, is by entering into a (model) contract with the American receiver of personal data. Model contracts can be found on the website of the European Commission. For companies of the same group, multiplication of contracts can be avoided by including the clauses in an intragroup agreement. Please also note that a copy of the contract must be provided to the Privacy Commission.

Finally, please note that as a result of the Schrems case, your (internal or external) privacy policy may require updating.

Just as a reminder this also concerns businesses who transfer data to their parent company in the U.S., or cloud service provider, or even clients located in the US. The data concerns among other things (e-mail) address, telephone numbers and even IP-addresses. Contrary to the Netherlands, the powers of the Belgian privacy commission have not yet been extended to impose fines on business who violate Belgian privacy legislation, however, it will not take long before this changes.

Please contact us for further queries.