2015/10/18: The Safe Harbour Judgment and its Consequences, Continued

In an earlier entry I have described the recent EU Court of Justice judgment invalidating the Safe Harbour Agreement that formed the legal basis for many transfers of personal data from the EU to the USA. At the time of writing, the Dutch national privacy regulator (the "College Bescherming Persoonsgegevens") had not made a statement on this decision yet, instead referring to a meeting of the EU privacy regulators, combined in the so-called Article 29 Working Party. That meeting has now occurred and a statement has been made by the Working Group: see here. So, time to take stock again...

In essence, the statement of the Article 29 Working Group contains three important messages. For the impatient: if you transfer personal data into the USA based on the Safe Harbour Agreement, that is now illegal and you will have to change the way you handle such data - quickly! Also: other methods of transferring such data are under review and could become illegal as well, so it is safer to keep personal data in the EU.

The details:

  1. The Article 29 Working Party calls upon the EU and its member states to come up with a solution. I will not go into detail here; suffice it to say that this will be very difficult given the requirements the EU Court of Justice has set in its judgment for any future agreement between the EU and the USA.
  2. The Article 29 Working Party stresses that data transfers that took place under the now defunct Safe Harbour Agreement are now illegal. I'll deal with this first.
  3. Finally, the Article 29 Working Party announces that it will be looking into the consequences of the EU Court of Justice judgment for other means of transferring data to the USA, with a self-imposed deadline of end of January 2016. More on this below.

First, the problem with Safe Harbour. The statement of the Article 29 Working Party is clear: "transfers that are still taking place under the Safe Harbour decision after the CJEU judgment are unlawful". In addition, the Working Party states that "businesses should reflect on the eventual risks they take when transferring data and should consider putting in place any legal and technical solutions in a timely manner to mitigate those risks and respect the EU data protection acquis".  In other words: businesses that relied on Safe Harbour have to change the way they do business, or risk the consequences. This warning was repeated recently in a stronger manner by the Bavarian privacy regulator, stating that immediate action is required of any company relying on Safe Harbour.

Given these statements, my advice to any company transferring personal data abroad or even just using the Cloud, is the following (legal disclaimer: this is nowhere near complete, so consult an expert!).

  1. Evaluate thoroughly what personal data are being processed. While doing so, remember that this includes email systems, address books, CRM systems, Human Resources data, and so on and so forth.
  2. For each set of personal data identified in the previous step, identify where the data is stored or processed. Include all backup systems in this evaluation, especially off-site backups. When doing so, look at any agreements or contracts with service providers, but also investigate the actual data flows and in particular the IP addresses of any site or server where data is transferred to. For multi-national companies, include any and all data transfers between facilities / subsidiaries.
  3. If any personal data is transferred to, stored or processed in the USA (whether that is determined by contract or by the actual data flows), determine the legal basis on which this is done. A blog entry is hardly the right place to provide details on how to do this, so if in doubt, consult an expert. However, if the US company receiving the data (e.g. a cloud provider) is listed on the Safe Harbour certification list, then it is a good bet that the legal basis of the data transfer is indeed the now defunct Safe Harbour Agreement.
  4. If it is indeed determined that personal data is being transferred to the USA while relying on the now defunct Safe Harbour Agreement, then immediate action is required. There are in essence four possible solutions. If data is transferred within the same multi-national corporation, using binding corporate rules (with approval from privacy regulators) is one viable possibility. The second option is to negotiate a contract with the US-based service provider based on, and incorporating, EU-approved standard contractual clauses, but this will probably be a very difficult process. The third option is to get specific approval from your privacy regulator for the transfer, but again this is a very difficult process. The fourth, final and best option is to simply ensure that no personal data is transferred to, stored, or processed in the USA.

There is certainly some amount of work involved in this, and there is also the potential need to make significant changes to how personal data is handled in your company. Nor is this limited to large companies: if you are in business for yourself and you use e.g. gmail for all your emails, you may well be forced to change email providers, print new business cards, notify all your existing clients, etc. However, given the statements of privacy regulators, not acting on this creates a risk of legal problems including fines etc. There is absolutely no guarantee regarding the amount of time companies will be granted for coping with this, but the Article 29 Working Party statement seems to hint at stronger enforcement by the end of January 2016.

Why my preference for keeping data inside the EU, even if that means changing service providers? That also follows from the statements of privacy regulators and the Article 29 Working Party that they are still evaluating the impact of the EU Court of Justice judgment on the other legal bases for data transfers to the USA listed above. In other words: there is at least a risk that by the end of January 2016 other means of transferring data to the USA, such as standard contractual clauses or binding corporate rules, could be made illegal as well. For that reason alone, it may be best to simply switch to service providers not in the USA.

As always, I'll post again when there is more news. And I cannot stress this enough: consult an expert when in doubt! This is a potentially nasty situation, with potentially nasty consequences.

This weblog is maintained by Dr. Martin Beckmann LLM. If you discover any inaccuracies, factual errors, other corrections, or questions, please contract him at m.beckmann@beckmann-consult.com or at the contact data listed on our contact page.

© 2013 - 2016 Adviesbureau Beckmann B.V., Eurode-Park 1 - 62, 6461 KB Kerkrade, The Netherlands
KvK / Dutch Chamber of Commerce: 53767373 | Statutaire Zetel / Registered Office: Heerlen
BTW nummer / VAT ID: NL 8510.09.323.B.01
Data Center picture © Gregory Maxwell, distributed under the GNU Free Documentation License v1.2
All other pictures © Dr. Martin Beckmann LLM

We use the WURFL software to provide optimal rendering of this website on mobile devices.
As per the Wurlf license conditions, this software can be downloaded here .