Rely on the most comprehensive, up-to-date legal content designed and curated by lawyers for lawyers
Work faster and smarter to improve your drafting productivity without increasing risk
Accelerate the creation and use of high quality and trusted legal documents and forms
Streamline how you manage your legal business with proven tools and processes
Manage risk and compliance in your organisation to reduce your risk profile
Stay up to date and informed with insights from our trusted experts, news and information sources
Access the best content in the industry, effortlessly — confident that your news is trustworthy and up to date.
With over 30 practice areas, we have all bases covered. Find out how we can help
Our trusted tax intelligence solutions, highly-regarded exam training and education materials help guide and tutor Tax professionals
Regulatory, business information and analytics solutions that help professionals make better decisions
A leading provider of software platforms for professional services firms
In-depth analysis, commentary and practical information to help you protect your business
LexisNexis Blogs shed light on topics affecting the legal profession and the issues you're facing
Legal professionals trust us to help navigate change. Find out how we help ensure they exceed expectations
Lex Chat is a LexisNexis current affairs podcast sharing insights on topics for the legal profession
Printer Friendly Version
IP & IT analysis: As everyone scrabbles to get their head around Safe Harbour following the Schrems decision, Kirsten Whitfield, director of the data protection practice at Wragge Lawrence Graham & Co, considers the latest developments around Safe Harbour.
If your business transfers personal data to the US then you should be considering what practical steps you need to take following the recent decision on Safe Harbour. When the Court of Justice of the European Union's (CJEU) ruled on the invalidity of
Safe Harbour, there was a moment of shocked silence, trailed by a huge buzz about the implications.
In the wake of the CJEU 'Schrems' decision, Schrems v Data Protection Commissioner C-362/14  All ER (D) 34 (Oct), questions have arisen on both sides of the Atlantic but as yet no clear course has emerged to navigate the rough waters ahead.
Ultimately, the solution to personal data transfers to the US (dubbed Safe Harbour 2.0) needs to be hammered out by the politicians.
This does not mean, necessarily, that organisations (either themselves or through third parties) which transfer personal data to the US should do nothing--it is still an option to take some protective steps (even if not completely watertight).
Deciding what to do next will be a risk-based decision that pivots around factors such as the nature of the personal data being transferred outside of the EEA country and the size and nature of the organisation. The Article 29 Working Party's statement
of 16 October and the European Commission's opinion of 6 November (see more on this below) are key to deciding what to do next.
Various opinions from national data protection regulators have also been issued and these will also be important when deciding on next steps/priorities for personal data flows from particular EEA countries. These regulator statements are crucial for understanding
which regulators will take a less 'sanguine' approach than others. In this update we give an overview of two contrasting approaches (UK and Germany).
Working Party Statement of 16 October
The Schrems invalidation of Safe Harbour had immediate effect and allowed no transition period, which immediately rendered personal data transfers to the US solely based on Safe Harbour unlawful.
The Article 29 Working Party (the Working Party), an independent advisory board of representatives from the data protection authorities of the EU Member States, initially released a press release on 6 October announcing the decision of the CJEU and indicating
that it will enter into a round of discussions. The Working Party then followed up with a statement on 16 October indicating that national data protection regulators will allow a short 'reprieve' until the end of January 2016 to allow data exporters
to put in place alternative arrangements.
Their 16 October statement also called for a solution-finding process to enable personal data transfers to the US in a way that addresses the CJEU's criticisms in the Schrems decision. In essence, the downfall of Safe Harbour was the perceived
lack of respect for the fundamental rights and remedies of EEA citizens once their personal data found its way into the hands of government bodies through wide rights of surveillance. Further detail can be found in our update on the Schrems case.
On the upside, organisations have been granted a period of reprieve, but on the downside it was also revealed that this is the calm before the storm. This reprieve is a limited period in which to get prepared. The Working Party went on to express the
commitment of the European data protection authorities to initiate coordinated enforcement proceedings should no solution with the US authorities be found by 31 January 2016.
Safe Harbour 2.0 is definitely on the cards and efforts have been renewed to finalise the '13 point plan' for Safe Harbour. But is it likely that Safe Harbour 2.0 will have been resurrected like a phoenix from the ashes by January 2016? Although the European
Commission's communication of 6 November (more of which below) is helpful and hopeful, in reality having a fully agreed and implemented Safe Harbour 2.0 by the end of January 2016 is overly optimistic.
European Commission 6 November communication
On 6 November, the European Commission issued a press release and a communication to the European Council and Parliament on personal data transfers to the US in which most notably they:
In practice, even if it does only take another three months to reach agreement (taking us to the start of February 2016), this doesn't necessarily mean the new framework will be set up and ready for organisations to start self-certifying themselves with
the FTC (if that is how the new framework will operate). In their concluding remarks the Commission appears to indicate that organisations should not in the meantime 'wait and see'--'Until such time as the renewed transatlantic framework is in place,
companies need to rely on the alternative tools available.'
Given Model Contracts can take months to put in place (and of course if you are relying on an existing third party provider to agree to them--it may never happen) and Binding Corporate Rules ('BCRs') can take years, this seems rather a tall order
The communication goes on to give an overview of other tools available for transatlantic personal data transfers. Notably, it does not mention any form of 'self-assessment' of adequacy as a mechanism for data transfers. While the UK's Information Commissioner's
Office (ICO) refers to adequacy in its recent statement on Safe Harbour, it should not be assumed that other data protection regulators take the same approach
Safe Harbour position papers from regulators
Several Member States' data protection authorities have issued position papers on the Safe Harbour ruling to outline their understanding of the decision and how they intend to go about implementing it into their daily practice. There is a striking contrast
between the approach of the German and the UK data protection regulators, illustrating that the prudent data controller attempting to re-assess its personal data transfer strategy needs to factor in a risk assessment based on the country from which
personal data is transferred. Some jurisdictions clearly will be higher risk than others.
Weighing in at one end of the scale, the German data protection authorities published a joint position statement with the federal data protection officer which takes a very strict view of the Schrems decision. Most notably:
The reason for this stringent approach is that these instruments do not protect the transferred personal data from what is considered unacceptably wide rights of access by the US authorities, nor do they provide legal remedies for the non-US data subjects.
While this is logical, the practical consequence of this approach is no legitimate transfers of personal data to the US. For many, simply stopping transfers of personal data to the US (whether to group companies or third party providers) is not an option.
This therefore leaves many organisations in a quandary with no easy solution. The European Commission is clearly conscious of this issue, and its comments to the European Council and Parliament of 6 November are helpful. By contrast, a similar point
is also noted by the ICO) in its opinion published in a blog dated 27 October 2015. It seems, though, that the ICO is taking more of a 'let's wait and see' approach to this and also towards enforcement, than the German authorities.
While the ICO stresses that companies need to take inventory of their data transfers and the implemented protection measures (and recognises that this may be a difficult task for many players in the field), it also advises not to panic or resort to other
measures without thoughtful consideration. They flag that rushing to put other measures in place, might not necessarily give the required protection either.
However, what they have not said (unlike the German regulator) is that they intend to prohibit all data transfers to the US as soon as they find out about them. Instead, they offer a glimmer of hope by gently referencing the possibility (for the UK, at
least) to carry out your own assessment of adequacy. Not an ideal solution (because it still leaves a level of uncertainty as to whether the regulator will agree with your assessment) but better than nothing.
However, all parties refer to the ongoing negotiations about the development of a new Safe Harbour, a Safe Harbour 2.0. The EU's Commissioner for Justice, Consumers and Gender Equality, Věra Jourová, highlighted in a speech given before the Committee
on Civil Liberties, Justice and Home Affairs (LIBE) on 26 October 2015 that the negotiations regarding a renewal of the Safe Harbour framework between the EU Commission and the US Department of Commerce (DoC) are continuing with increased speed and
While she refers to the already identified 13 Recommendations of 2013 designed to achieve a heightened level of protection through the Safe Harbour framework, she also explains the Commission's view of the ruling and how it intends to address the concerns
expressed by the CJEU in its negotiations with the US DoC, the essence of which are:
What should you be doing now?
It is clear enough that the Working Party's view is that Safe Harbour can no longer be relied on. That leaves only one realistic option for bulk transfers of personal data to the US--Model Contracts.
None of the press releases, opinions, position statements or other publications provides any kind of certainty. There is currently no fail-safe way for companies to proceed. That does not, however, mean that you should do nothing.
What you can be doing is:
What are the alternative measures that can be put in place?
In practice, the most viable option is likely to be use of European Commission approved Model Contracts. Putting in place Model Contracts will be faster than implementing BCRs. That said, the effort involved in putting Model Contracts should not be underestimated
they need to be completed with details of the data flows and for transfers to non-EEA data processors, technical security details also need to be completed.
In some countries the model clauses will need approval/notification with the relevant European regulators. It is not an overnight solution for some organisations, by the time they get through the process, Safe Harbour 2.0 may have emerged like a phoenix
from the ashes.
The views expressed by our Legal Analysis interviewees are not necessarily those of the proprietor.
0330 161 1234