Schrems & roundabouts: Cross-border eDisclosure and personal data

Dominic Tucker, Senior Consultant at Anexsys Ltd, considers cross-border eDisclosure and personal data in the light of Schrems, which invalidated the Safe Harbour framework.

Citizens of the EU are protected from having their personal data transferred to territories outside the EU, unless it is transferred to a location which is deemed to have “adequate” privacy protections.

The current EU data protection regime is based on Directive 95/46/EC, which requires each Member State to enact data protection legislation that is at least as rigorous as the rules set out in the Directive.  The UK, for instance, has implemented the Directive by the Data Protection Act 1998.

Safe Harbour

The ‘safe harbour’ agreement that was made between the EC and the US government essentially promised to protect EU citizens’ data if transferred by American companies to the US.

It allowed companies, such as Facebook, to protect EU citizens’ data by self-certification and was binding under U.S. law and enforceable by the U.S. Federal Trade Commission.

Importantly, in the context of dispute resolution, and although a less than perfect solution, it was sometimes relied upon to facilitate the transfer of data to the United States in support of cross-border eDisclosure exercises.

Schrems

The recent Schrems decision has invalidated the Safe Harbour framework, and to much fanfare. The decision was not totally unexpected though and some have expressed surprise that the regime had lasted so long.

The background to Schrems lies in the United States’ PRISM intelligence gathering programme which grants U.S. authorities access to data stored and processed in the United States, including data held under the Safe Harbour regime. Such access was found to compromise “the fundamental right to respect for private life”.

What now?

Schrems leaves a hodgepodge of rules and uncertainty in place, but this is not really anything new.

Transfers of data / documents containing personal information, which previously relied on Safe Harbour for legitimacy, may now find themselves the subject of investigation and enforcement action by national data protection authorities (DPAs).

On 19 October 2015, the Article 29 Working Party (a body comprised of representatives from each DPA and the European Data Protection Supervisor), issued a statement which, amongst other things, confirmed that Safe Harbour is invalid but that Standard Contractual Clauses and Binding Corporate Rules can still be used as a basis for data transfers, “in the meantime”, whilst the Working Party continues its analysis on the impact of the Schrems decision.

Pending the outcome of this analysis and if no appropriate solution is in place by the end of January 2016, DPAs will take all necessary and appropriate action, which may include coordinated enforcement action.  DPAs will put in place appropriate information campaigns at a national level however.

On 6 November 2015, the European Commission issued guidance summarising the alternative ways to transfer personal data to the United States in compliance with existing data protection laws.  These included contractual solutions, intra-group transfers and the derogations set out in Article 25(6) of the Directive.

Solutions for eDisclosure

As mentioned above, Standard Contractual Clauses or Binding Corporate Rules may still be used as a basis for data transfers.  Where these provide no sound basis for the transfer of personal data, the following derogations and solutions may help for the purposes of eDisclosure:

1. consent – although personal data may be transferred to the United States where the data subject has provided their consent to a proposed transfer, this is not as straightforward as it may sound and a number of factors should be considered
2. permanent anonymisation or aggregation of data -- where consent cannot be obtained, parties should consider the extent to which data can be prepared for export so as to carefully manage or eliminate personal data, including anonymisation or aggregation and review

Further information

• A more detailed version of this analysis is available to Lexis®PSL Dispute Resolution subscribers here. Sign up for a free trial here if you are not a subscriber and would like to read that full analysis.
• Subscribers to Lexis®PSL can find Schrems v Date Protection Commissioner case analysis here

Dominic Tucker is a Senior Consultant at Anexsys Ltd, a leading provider of outsourced eDisclosure and litigation support services to law firms, corporations and government departments.