Background
Data Protection in the EU is currently governed by the 1995 Data Protection Directive, which is currently in the final process of being updated. Many companies (including small companies) depend on data flows in order to operate. It is believed that the EU has some of the highest standards when it comes to data protection and companies can only send EU citizens’ personal data outside of the European Economic Area is there is a guarantee that the data will receive adequate levels of protection.
In 2000, the European Commission approved a streamlined process for US companies to use and store EU citizens’ data across the Atlantic: the Safe Harbour agreement. Safe Harbour had 4,400 US company signatories, all of which had to self-certify that they met the necessary criteria to the US Department of Commerce every 12 months.
Why Safe Harbour became controversial
In light of the 2013 Snowden revelations, an Austrian privacy activist, Max Schrems, was concerned that EU citizen’s personal data could be intercepted by the NSA as part of the PRISM programme. Schrems filed a complaint with the Irish Data Protection Commissioner (DPC) against Facebook because he had concerns about the use of his personal data.
Schrems filed the complaint with the Irish DPC because Facebook’s European Headquarters are in Dublin, Ireland. The Irish DPC rejected the complaint and Schrems filed an application for judicial review with the Irish High Court in June 2014.
The Irish High Court referred the case to the EU Court of Justice (CJEU), which is the EU’s highest court, because this type of data transfers falls under Safe Harbour.
The CJEU’s ruling
The CJEU ruling was published on 6th October 2015 and invalidated the Safe Harbour agreement. This means that there is no longer a streamlined process for data flows across the Atlantic and each of the EU’s 28 Member State’s national Data Protection Authorities (DPAs) now have to evaluate individually if US companies match EU safety standards when dealing with personal data.
Before issuing a judgment, the CJEU considers the Advocate General’s opinion. The CJEU’s judgment is usually given 3-6 months after receiving this opinion, but on this occasion, the CJEU’s ruling was issued in less than 2 weeks. The Apps Alliance wrote a press release as soon as the ruling came out, questioning why the ruling was rushed.
Current State of Play
On Wednesday 14th October, European Commissioners met with tech industry representatives. In attendance were Commissioners Günther Oettinger (Digital Economy & Society), Vĕra Jourová (Justice, Consumers & Gender Equality) and Andrus Ansip (Digital Single Market). The Commissioners listened to the industry representatives’ concerns, yet reports state that there was no major outcome of the meeting.
On Thursday 15th October, the Article 29 Working Party met to discuss the next steps following the CJEU’s ruling. Commissioner Jourová attended, as well as representatives from the 28 EU Data Protection Authorities and the European Data Protection supervisor, Giovanni Buttarelli. According to reports, the meeting lasted 3 hours yet no consensus was reached on a period of grace for companies relying on Safe Harbour, or fallback mechanisms they can use in the absence of Safe Harbour. The fallback mechanisms being discussed at EU level are ‘model clauses’ (templates for contractual terms for companies dealing with overseas data processors, provided by the EC) and binding corporate rules, which outline a company’s policies regarding internal transfers of personal data within a given corporate group.
In its press release, the Article 29 Working Party stated that if no agreement is reached by January, Data Protection Authorities across the EU will undertake massive enforcement against companies illegally transferring data to the US. Any data transfers between the US that are still taking place under what used to be the Safe Harbour agreement are no longer lawful.
Our concerns
With Safe Harbour invalidated, companies no longer have a quick and easy way to handle EU citizens’ data. While this affects big companies, the real damage this ruling has cause will be on small companies, as 60% of the companies that participated in Safe Harbour were small and medium sized enterprises.
Instead of one single process, we are back to having 28 different and diverging regimes. It is unclear which set of rules is now applicable and how US companies can legally transfer data across the Atlantic. For example, German’s Schleswig-Holstein authority published a position paper stating that model clauses are invalid for trans-Atlantic data transfers. German regional Data Protection Authorities are meeting on 21st October with the German Federal Agency to discuss a common approach.
A fragmented approach across the EU will make it very hard for small companies that rely on data transfers to continue to do business!
For more information about our concerns, see this blog post written by Apps Alliance EU Policy Director, Catriona Meehan.
What’s next?
The European Commission and US Congress have been in talks about an updated Safe Harbour Agreement since 2013. We urge both parties to do their utmost to conclude this agreement in order that companies can continue to operate.
In the meantime, we urge the Commission to publish legal guidelines in order that smaller companies, without legal departments especially, can understand how to manage EU citizens’ data in light of the CJEU’s judgment.
Commissioner Jourová is going to Washington DC in November. We hope this helps speed up talks!