The future of EU-US data transfers - Reactions to the Schrems decision on the EU-US Safe Harbor | Practical Law

The future of EU-US data transfers - Reactions to the Schrems decision on the EU-US Safe Harbor | Practical Law

An article setting out reactions from national and EU public bodies and experts from legal practice and in-house departments on the implications of the ECJ's decision in Schrems v Data Protection Commissioner (Case C-362/14, 6 October 2015).

The future of EU-US data transfers - Reactions to the Schrems decision on the EU-US Safe Harbor

by Practical Law Data Protection
Published on 15 Oct 2015European Union, International, USA (National/Federal)
An article setting out reactions from national and EU public bodies and experts from legal practice and in-house departments on the implications of the ECJ's decision in Schrems v Data Protection Commissioner (Case C-362/14, 6 October 2015).
On October 6, 2015, the European Court of Justice (ECJ) issued its preliminary opinion in Maximillian Schrems v. Data Protection Commissioner (Case C 362/14, 6 October 2015), in which it ruled that the US-EU Safe Harbor Framework is invalid. For more information on the Safe Harbor program and a detailed analysis of the Schrems decision, see Legal Update, ECJ rules that the EU-US safe harbor arrangement is invalid.

Early responses by EU and national bodies

The ECJ's judgment has resulted in immediate response from both the European Commission and the Article 29 Working Party.
During a press conference on 6 October, First Vice-President Timmermans described the judgment as "a confirmation of the European Commission's approach for the renegotiation of the Safe Harbor". He stressed that in the meantime, transatlantic data flows between companies can continue using other mechanisms for international transfers of personal data available under EU data protection law. Similarly, Commissioner Jourová emphasised the importance of the judgment for European businesses. She outlined that the Commission's priorities will be to:
  • Guarantee that EU citizens' data are protected by sufficient safeguards when they are transferred.
  • Continue to enable transatlantic data flows, as they are the backbone of the EU economy.
  • Work together with the national data protection authorities to ensure a coordinated response on alternative ways to transfer data.
In a press release issued by the Article 29 Working Party, it welcomes the fact that the Court's decision reaffirms that data protection rights are an inherent part of the EU fundamental rights regime. The Working Party points out that it has been studying the impact of mass surveillance on international transfers and has on several occasions presented its concerns. The Working Party is aware that the judgment, taken in the context of the negotiation on the draft Data Protection Regulation and the discussions on the Safe Harbor between the European Commission and the US authorities, has major consequences for all stakeholders.
On 13 October 2015, the European Parliament's Civil Liberties, Justice and Home Affairs Committee (LIBE) issued a press release in which it welcomed the ECJ's decision, which vindicated "Parliament's long-standing concerns about the agreement". It called upon the Commission immediately to take the necessary measures "to ensure an effective level of protection equivalent to the protection ensured in the EU". MEPs protested that Parliament has received no formal feedback from the Commission regarding the implementation of the 13 recommendations it made to the US government for a "safer" Safe Harbor (see Legal update, European Commission calls for more robust safe harbor framework), and stress that "it is now urgent that the Commission provide a thorough update on the negotiations thus far and the impact of the judgment on the further negotiations." They also invite the Commission to reflect "immediately" on alternatives to Safe Harbor and on the "impact of the judgment" on any other instruments used for the transfer of personal data to the US and report on it by the end of 2015.
At national level there have been responses from a number of data protection authorities across Europe. According to news reports, the Irish Data Protection Commissioner, Helen Dixon (DPC), welcomed the judgment and the fact that the ECJ has reiterated "the fundamental importance attaching to the right of individuals to the protection of their personal data". She confirmed that the judgment will now be considered by the High Court and that she has instructed her legal team "to take whatever actions are necessary to bring the case back as soon as practicable before the Irish High Court". The High Court's decision in the Schrems case is expected later this month.
Meanwhile, the data protection commissioner of German state Schleswig-Holstein has issued a position paper on the decision in which it disagrees with the Commission on the extent to which EU data controllers can rely on alternative mechanism to justify data transfers to the US. The paper notes, in particular, that transfers on the basis of the data subject's consent may not be effective if it cannot be proven that consent was given freely on the basis of information that makes it clear to the data subject that their data may be subject to access by US public authorities post-transfer. The paper also opines that certain provisions of the standard contractual clauses adopted by the European Commission under Article 26(4) may make their use for data exports to the US unreliable. As part of those clauses, the US recipient of the data must agree that it has no reason to believe that any laws applicable in its own jurisdiction would have a substantial adverse effect on the guarantees provided for under the clauses. If that is not possible, then the data exporter has the right to suspend the transfer of data and/or terminate the contract. The position paper highlights that following the Schrems judgment data exporters must at least consider exercising those rights with regards to data transfer to the US.

Reactions from business and legal practice

In the light of the significant commercial and political impact on data flows between the EU and the US that the ECJ's judgment is likely to have, we have asked a number of experts from in-house departments and legal practice for their views on the practical and legal implications of the ECJ's decision as well as their expectations for future legal and political developments. Their reactions are summarised as follows.

Vivienne Artz Managing Director & IP/Tech/Privacy Counsel, Citi

Protecting the personal data of our customers and staff is a priority for Citi and effective and efficient data transfer mechanisms are key to achieve this for our EU customers and staff. The recent ECJ decision declaring the long standing Safe Harbor invalid has been both surprising and disappointing given that the Federal Trade Commission (FTC) has provided many examples of active enforcement of Safe Harbor over the years, thereby helping to protect the privacy of EU citizens. This judgement has come at a time when negotiations between the EU and the US to further strengthen the Safe Harbor framework seem to be at a very advanced stage, and may now jeopardise these efforts. This decision also appears to be inconsistent with the aim of the draft Regulation which is to achieve consistency across the member states in relation to data protection matters.
Citi is a leading global bank operating in over 100 countries worldwide. Customers expect that their bank will be able to service their many and evolving needs on a "follow the sun" model, and financial markets are businesses that operate 24/7, requiring data to flow around the world seamlessly, to support economic growth and progress. The traditional brick and mortar banking business is quickly disappearing as we shift to a data driven business where data is the underlining essence of a transaction. The ability to move, process, store and analyse data is therefore key to our ability to service our clients, to prevent and stop fraud and other crime, to run anti-money laundering programmes, and to safeguard and protect our customers’ data. Currently, more than 60% of Citi’s interactions with customers is done online, and that number is expected to increase year on year. If a customer from one country travels to another country, they expect to be serviced in the same way. This requires the transfer of data across jurisdictions.
Although Citi itself is not Safe Harbor registered, this decision impacts many of Citi’s vendors and creates a lack of certainty around existing data sharing with the US. It will take time, effort and cost to put in place alternative mechanisms for data transfers, which are also based on Commission adequacy decisions which the Court has challenged with its judgment.
Like many other companies Citi is looking for consistent, constructive and clarifying guidance from the European Commission and the Article 29 Working Party to make sure that it can choose the right alternatives to Safe Harbor, and that such alternatives have the support of all the national DPAs.

Daniel Cooper, Partner, Covington & Burling LLP

Schrems now forms part of the EU's legal landscape, leaving many on both sides of the Pond sorely disappointed and, in some quarters, shocked. To my mind, Schrems represents a remarkable, and disappointing, act of judicial activism by the ECJ. You do not need to be cynical to conclude that Schrems appears to be a highly politicized judgment. As is well known, the Safe Harbor has had a long, and tumultuous, history. It has attracted more than its fair share of criticism, some of it accurate and some of it uninformed. And yet, the very flaws the ECJ attributes to the Safe Harbor -- at its core, an inability to prevent overly-broad access to data by US intelligence agencies -- permeate every other lawful basis for transferring data to the US. In closing down Safe Harbor, the ECJ opened up Pandora's box.
Of course, the ECJ must take the cases as they come; they cannot pick and choose. Litigant Max Schrems took issue with the Safe Harbor, rather than model clauses, BCRs or even another country's adequacy determination. One can forgive the Court for taking on the Safe Harbor. That said, what is unsettling is the ECJ's willingness to depart from the question referred to it - that is, may EU data protection authorities question a Commission adequacy determination - to consider the validity of the Safe Harbor itself. This it need and should not have done, at least not on the meagre record before it, comprised of uncontested submissions lodged with the Irish High Court. Rather than showing itself to be a deliberative and thoughtful body, the ECJ acted otherwise and decided a question that clearly was not ripe. This was unfortunate.
H.L. Menken, noted American journalist, once critically remarked that "a judge is a law student that marks his own examination papers", and thus needn't worry whether he or she arrives at the right result. The Court's decision in Schrems v Data Protection Commissioner confirms this to be as true today, as it was in Menken's time. In hindsight, there were many "losers" as a result of the ECJ's judgment - the European Commission; US business interests; and those eager for a harmonized EU. To this long list of casualties, the ECJ's own good reputation could well be added.

Nicola Fulford, Partner, and Mahisha Rupan, Senior Associate, Kemp Little LLP

Most of the media interest in the Schrems v Data Protection Commissioner judgment has focused on the ruling that the Safe Harbor framework is invalid because it does not provide sufficient protection for the fundamental rights and freedoms of EU citizens. But there is another aspect to this judgement that has garnered less attention – namely, the role of national data protection authorities.
TheECJ emphasised the independence and importance of national data protection authorities to ensure compliance with the EU Data Protection Directive. In particular, it stressed that any decision of the European Commission regarding the adequacy of data protection measures provided by a non-EU country does not eliminate or reduce the ability of national data protection authorities to investigate whether a transfer of personal data to such a non-EU country complies with the Directive. However while national data protection authorities are entitled to investigate these transfers, the CJEU alone has the jurisdiction to declare a Commission decision invalid.
Critics of the EU data protection regime point to each member state’s varying interpretation and enforcement of the Directive to show a fragmented approach to data protection in the European Union. Following the ECJ’s decision, any transfer of personal data to the US will be potentially subject to investigation and possible enforcement action by each national data protection authority. Therefore there is a unique opportunity for national data protection authorities to counter their critics, give clear and coordinated guidance following their meeting on 15 October and show a unified and consistent approach to enforcement. This will surely bolster negotiations with the US Department of Commerce regarding a new Safe Harbor package. However there remains the risk that each national data protection authority will offer a different interpretation of the CJEU decision, therefore making the EU data protection regime more disjointed.

Richard Kemp, Managing Partner, Kemp IT Law

The judgment has come at what will be seen with hindsight as a critical time in the overarching 'citizens' rights v state powers' debate triggered by Snowden in 2013.
We are at the start of enormous change in the development of computing. The cloud is growing at 25% a year and data volumes are growing ten times every five years. At the same time, 2015 is seeing important legal developments which will shape the digital data balance between citizen and state:
  • In the US re the Warrant case where judgment is expected shortly, Microsoft is battling over US overreach of powers to order delivery of Hotmail account emails stored in Ireland but wanted for US criminal proceedings.
  • In July, s.1 of the UK's Data Retention and Investigatory Powers Act 2014 (DRIPA) went the same way as the EU Data Retention Directive and was struck down as inconsistent with protection of personal data under Article 8(1) of the EU Charter and paving the way for a debate starting shortly here about state surveillance and bulk collection, neatly put into context by 2015's ISC, Anderson and RUSI reports.
  • In September, Russia's data localisation law came into effect, pointing up the risks of Internet balkanisation.
  • The Schrems judgment comes on top of all this, throwing EU/US data flows and national regulator powers into the mix just as the GDPR looks like it's finally getting settled.
Drawing all this together from the policy perspective to get a workable, durable, global solution for businesses, individuals and the state is necessary, tough and doable. Civil society should be more realistic about state powers – they have always been there, always will, and not just in the UK and US. State functions, only a generation on from disavowal, should fear democratic legitimacy and judicial accountability less. International standards have an increasingly important part to play for business.

Phil Lee, Partner and Registered Foreign Legal Consultant with the California State Bar, Fieldfisher

This ruling is unique because, on one level, it changes everything; on another level, life continues exactly as it did before. The change is that companies need to fundamentally re-think the compliance of their (and their vendors') data exports to the US; on the other hand, companies will continue to transfer data to the US exactly as they always have done. No one is shutting down the Internet overnight.
It's not as simple as "just putting in place model clauses" – the practical implications are so much more complex than that. Yes, model contracts are part of it, but you can't just sign the contract and forget about it. You need to map your data flows, internally and externally; identify out of those data flows which need coverage by model clauses or other legal solutions or exemptions; update your privacy policies; amend your customer and vendor contracts and so on. Any way you look at it, it's a significant undertaking.
Much has been said about the rationale of the ECJ's decision – Was it fair? Why didn't they criticise Model Contracts or BCR? What about EU countries with surveillance regimes? At the end of the day, none of that really matters. The ruling has happened, and we now have to live with its consequences.
Regulators will most likely afford companies a grace period to get their houses in order – the ICO has gone on the record to say as much. Customers, however, won't be so forgiving. US-based data processors can now expect a raft of enquiries from their EU-based customers asking them to sign model contracts – and those data processors are going to be faced with a Faustian decision: accept the model clauses knowing full well they're unlikely to be able to comply with all of the model clause requirements; or refuse model clauses and risk losing EU business. The choice is that stark.

Christopher Millard, Professor of Privacy and Information Law, Queen Mary University of London, and Senior Counsel, Bristows LLP

The export controls in the 1995 Data Protection Directive are fundamentally incompatible with the architecture of the Internet. What is surprising is that it has taken 20 years for most people to notice. The basic problem is not the Internet but European legislative overreach. On that score, though it is consistent with its "absurd" ruling in the Google Spain case (Advocate General Jääskinen's term, not mine), the Schrems judgment reinforces the growing sense that the ECJ has very little interest in what happens in the "real" world.
So what next? The Commission is talking up Safe Harbor 2.0 but the ECJ's lofty benchmark and hostility from European Parliamentarians will militate against such a deal. Model contracts, BCRs, and country adequacy decisions may well prove vulnerable to the same challenge as the Safe Harbor. The proposed DP Regulation, which would inflame international conflicts by creating draconian penalties for unavoidable breaches, also looks increasingly inappropriate. Privacy laws which cannot be complied with are bad laws and serve no one, except of course DP lawyers who have never been busier.
More fundamentally, and leaving aside the hypocrisy of it all (given that EU governments also engage in widespread surveillance of their own and foreign nationals), the Schrems decision is likely to be counter-productive in terms of protecting individual rights. Many Europeans are angry about NSA surveillance, but is it really preferable to demolish the legal basis for supervising transfers of personal data to the US? Further moves towards forced-localization of cloud and other Internet services are also unlikely to promote privacy rights in the EU or anywhere else.
For now, however, many millions of Europeans continue to post on Facebook, to tweet, to send and receive emails, and to benefit in numerous other ways from global data transfers, including Maximillian Schrems.

Stewart Room, Partner and Global Head of Cyber Security and Data Protection, PricewaterhouseCoopers Legal

This case tells us very clearly that the citizen, the regulators and the judiciary cannot be bound by remote decision-taking on data protection by the European Commission. Therefore, this case places a question mark over the remaining Commission adequacy decisions for transfers.
So, what should entities do to protect themselves against challenges that they are sending data to unsafe environments? Of course, they should try to shield themselves through adherence to model clauses, the White List or BCR (if they feel that consents and contracts can't help them), but they should not place their trust solely in those mechanisms. Additionally, they should examine their operational adequacy for data protection and be ready to prove their adequacy, if challenged.
The Safe Harbor case reveals that the way the EU data protection regime has been designed means that entities can be flung into technical legal non-compliance through no fault of their own. That's a dreadful position for data controllers to be put in, but, they do have control over their own adequacy and how they address challenges. If the entity has a good operational model, a good compliance framework and a good assurance framework in place, they will be able to address the real "money point" in data protection, namely the taking of appropriate measures to protect personal data. This is the most important learning lesson from this case.

Bridget Treacy, Partner, and Rosemary Jay, Partner, Hunton & Williams

In Schrems v Data Protection Commissioner, the ECJ dealt a mortal blow to the EU-US Safe Harbor, a transfer mechanism that has served the needs of trans-Atlantic trade for the past 15 years. Having ruled that the Irish DPC must investigate whether the transfers in question are subject to an adequate level of protection, the ECJ went further and sounded the death knell for the Safe Harbor by declaring it to be invalid. The ECJ's criticisms focused on the widespread, indiscriminate nature of the alleged surveillance, and the lack of redress for EU citizens before a US judicial authority.
Whether Safe Harbor can be resurrected remains to be seen. Work had been underway for some time to update the Safe Harbor to address these known criticisms from Europe. Rumour has it that in the wake of Schrems the European Commission was quick to dispatch negotiators to Washington DC to meet with the Department of Commerce. However, there seems little prospect that any deal will be reached quickly.
Today, European DPAs will tell us their view of the impact of Schrems on cross border transfers. As expected, the ICO has already taken a pragmatic approach, acknowledging immediately that organisations will need time to implement replacement transfer mechanisms. Adopting a different approach, the more conservative DPA for the German state of Schleswig-Holstein issued a position paper arguing that data transfer mechanisms such as consent, contract performance and model clauses may also be vulnerable, creating significant concern among businesses.
At a practical level, companies are taking stock of their data flows, and awaiting guidance from the WP29. A number of companies are considering entering into binding corporate rules, extending the detailed work already undertaken as part of their Safe Harbor certification. Others are looking to the model clauses. Whatever mechanism is used, transfers of personal data are now likely to be subject to much greater scrutiny. And, in the interim, we wait to see whether Safe Harbor 2.0 will somehow rise, phoenix-like, from the ashes.

Ashley Winton, Partner, Paul Hastings (Europe) LLP

The ECJ has provided a well-timed reminder that introduction of privacy as a fundamental right with the EU Charter of Fundamental Rights is more fundamental than anyone, including the European Commission thought. The consequences are significant.
Firstly, it is interesting to see that the German Schleswig-Holstein data protection group has broken ranks and declared the model contracts unsafe ahead of the hastily convened Article 29 Plenary Meeting today, and we await with interest to see if the Article 29 Working Party can give unqualified support for model contracts and their many other decisions of adequacy in relation to the export of personal data from Europe.
Secondly, one important consequence of the decision is that it has empowered national data protection authorities at the expense of the Article 29 Working Party. It is therefore now very important to know which data protection authorities apply to your business. After Google Spain and Weltimmo s.r.o. v Nemzeti Adatvédelmi és Információszabadság Hatóság (Case C-230/14), this is not as straightforward a test as you might think, and having websites targeted at a particular member state may now bring you within the local data protection regime where before you could just rely upon the member state of your main establishment. It is now important to keep an eye on your operations across Europe, especially in Germany.
Finally, the Schrems case reminds us that the Article 29 Working Party opinions are not legal opinions, they are just their opinions. In a funny sort of way this might be good for business, as we may feel less shackled by the "soft law" that the Article 29 Working Party is prone to provide.

Steve Wright, Chief Privacy Officer, Unilever

This month’s ECJ decision was a significant decision for the European privacy regime. Organisations must now review their data sharing arrangements with the US and apply additional measures where appropriate to ensure they are lawfully transferring data to and from the US.
Taking a step back, there have been long discussions between Brussels and Washington about Safe Harbor Version 2 (the new "NEW Safe Harbor") with tighter sanctions and enhanced controls. Both sides were close to concluding an agreement, but the ECJ’s judgement will likely complicate negotiations. In light of the above, whether or not Safe Harbor 2 arrives, it is likely that US third parties collecting and processing EU data subjects will need to consider one or more of the following options:
  • Establishing data centres in the EU and ensuring that personal data can only be accessed within the European Economic Area.
  • Sign EU "Model Clauses" agreements between the data controller and data processor.
  • Obtain "Consent" from all EU data subjects to transfer to their data to the US.
In the interest of time and effort, it is likely that most US third parties will select the option to implement the EU Model Clauses.
What needs to be done?
The options available are to either enter into new EU model clauses agreement with US third parties, obtain the necessary consent (if feasible), or, request that servers are relocated within the EU. Therefore, and until the EU concludes an agreement with the US relating to a Safe Harbor (version 2), you should consider taking the following actions:
  • Work with your Procurement teams to determine which third parties are Safe Harbor certified and processing and accessing EU personal data from the US.
  • Conclude EU Model Clauses or request that they move their data centres to the EU and provide access to affiliates and sub-contractors in the EU only.
  • Where you opt for the EU Model Clauses route, you will need to ensure that a clause is included to restrict the sharing of EU personal data with the US government.
The work involved to resolve this is likely to result in a several months of work and renegotiations with US third parties. However, the true impact and time you dedicate will depend upon many factors, for example, the size and resources of your organisation, the scale and the sensitivity of the data concerned. The reality is, there are no "one-size-fits all" options.