On 10th February 2016 the Information Commissioner’s Office published a new guidance document entitled “Data transfers to the US and Safe Harbor – interim guidance” (“the Interim Guidance.”) The purpose of the document is to address the consequences of a European Court of Justice ruling that the Safe Harbor scheme is invalid.
As many practitioners will know Safe Harbor is the US-EU self-regulatory scheme in which companies in the USA sign up to Privacy Principles and a complaints system providing protection to UK Companies transferring personal data to the US. Prior to October 2015 UK companies were able to rely upon Safe Harbor in the knowledge that the Commission had found in 2000 that the system provided adequate protection for personal date transferred to Safe Harbor member companies in the USA.
However, on 6th October 2015, the Court of Justice of the EU (CJEU) issued its judgment in Schrems v Data Protection Commissioner (Ireland) invalidating the 2000 decision of the EC. The CJEU considered it should be invalidated for the following reasons:
- Safe Harbor contains a derogation allowing personal data to be processed for US national security, public interest and law enforcement requirements, irrespective of the safe harbor principles;
- The Commission itself admitted in two communications that (i) US authorities are able to access the transferred personal data in a way incompatible, in particular, with the purposes for which it was transferred and to an extent beyond that strictly necessary and proportionate for the protection of national security and (ii) affected individuals currently have no administrative or judicial means of redress enabling the data relating to them to be accessed and, as the case may be, rectified or erased.
The CJEU also confirmed that the decision was invalidated on the ground that it restricted the ability of data protection authorities to investigate, by setting the bar for intervention too high. The relevant Directive requires that data protection authorities have independence in their activities and did not authorise the Commission to restrict this right.
The effect of the Schrems judgment is a twin hit on Companies. Firstly, it removed the assurance that when transferring data to the US via Safe Harbor a Company could do so in the knowledge that the transfer met the legal requirement for personal data transferred outside the EU to be adequately protected. Secondly, it increased the potential for greater scrutiny and intervention by a data protection regulator who has the independent power to investigate complaints about the adequacy of the level of protection of data transfers to the US and to suspend data transfers if they conclude that there was inadequate protection.
This has created considerable uncertainty for businesses who rely on safe harbor either for their own, internal data transfers, or because they use a service provider which, in turn, relies on safe harbor to provide adequacy for its transfers to the US. There has been an understandable desire for urgency in agreeing and implementing an agreed alternative data transfer solution.
On 2nd February 2016 the EC announced a new framework to replace Safe Harbor: the “EU-US Privacy Shield.” The Shield, the outcome of post Schrems negotiations between the EU and the US, is not yet a formal adequacy decision and is yet to be assessed by the Article 29 Working Party of European data protection authorities. In reality its introduction does not appear imminent.
The recently issued Interim Guidance is effectively a holding document to cover the period while discussion and negotiation of the Shield continues. In the terms of addressing the consequences of Schrems to the use of its enforcement powers, it is stated that:
“although the ICO approach to considering complaints will not suddenly change it is inevitable that some of the legal certainty that Commission findings of adequacy have provided for businesses in the past will no longer be available … We are not rushing to use our enforcement powers. There is no new and immediate threat to individuals’ personal data that has suddenly arisen that we need to act quickly to prevent. Of course the ICO will consider complaints from affected individuals whatever transfer mechanism you’re relying on but we will be sticking to our published enforcement criteria and not taking rushed action whilst there’s so much uncertainty around and solutions are still possible.”
It is recommended that businesses do not rush to change their systems, and stresses that it is imperative that they now make their own assessment of risk to compliance when making transfers to the US. The Interim Guidance warns against over reliance on obtaining individual consent stating that:
“… individuals may be easily induced to give their consent to the transfer of their data to destinations where there is little or no protection when the Safe Harbor does at least provide them with some genuine protection even if such protection is imperfect.”
The Interim Guidance confirms that the existing Commission decisions on the adequacy of particular countries and on standard contractual clauses still stand and can be relied on by business and that binding corporate rules can still be used. However it is recognised that some of the legal certainty that EC findings of adequacy have provided for businesses in the past is now removed. There is obvious concern about whether the Schrems judgment may have wider application. Data transferred under them is also liable to be accessed by the intelligence services and to a consequent necessary and proportionate challenge by an adversely affected party. Additionally the recognition in Schrems of the powers of the data protection authorities illustrates the potential vulnerability of other EC adequacy findings to being overridden by individual complaints as to inadequate protection.
It is reported that these matters are presently being considered by data protection authorities and by the Article 29 Working Party. The ICO has indicated in the Interim Guidance that it intends to update its published guidance on international transfers in due course.