One of the most frequent forms of data transfer covered under EU privacy law is the transfer of data from Europe to the United States. Often this takes the form of using cloud-computing resources or outsourcing of information technology services. Since the ECJ decision on Safe Harbor in October 2015, the question of legitimate cross-border data transfers has been a key theme among privacy and information technology practitioners.
Between October 2015 and the summer of 2016, there have been a number of developments on privacy law that affect data transfers. Four key developments affecting technology practitioners are explored below.
What Has Changed?
The introduction of the General Data Protection Regulation (GDPR) builds on the existing legal framework of Directive 95/46/EC. In that sense, the data transfer landscape does not fundamentally change with the advent of GDPR. The most frequently used transfer mechanisms foreseen by 95/46/EC are an adequacy finding, the unambiguous consent of the data subject, the standard model clauses approved by the European Commission, and binding corporate rules. The GDPR maintains these four and creates additional mechanisms, including the privacy codes of conduct, the privacy certification mechanisms, and standard contractual clauses adopted by a data protection authority and approved by the European Commission.
How Does the Safe Harbor Ruling Impact Data Transfers and the GDPR?
The Safe Harbor decision was an “adequacy finding” from the European Commission on which industry relied for years to conduct data transfers. The invalidation of Safe Harbor means that data transfers are still legally possible, but for them to be valid, they should use one of the other mechanisms foreseen in 95/46/EC. Practically, this means that the standard model clauses and the binding corporate rules become the most frequently used transfer vehicles. Even if the GDPR were in force today, the situation would not have been very different. More transfer mechanisms would have been available, but not the adequacy finding that Safe Harbor provided.
The Expected Outcome of the EU-US Privacy Shield
Adopted to replace the now invalid Safe Harbor, the Privacy Shield is essentially a framework of rules that renders transfers safe as long as companies commit to abide by those rules. It is a framework that provides what is considered an adequate level of protection, and as such, receives an “adequacy finding” that is one valid legal basis for data transfers both in 95/46/EC and the GDPR. One should note that the Privacy Shield is a more onerous framework than the invalid Safe Harbor and is subject to more frequent reviews and certification requirements. Its protections from activities of public authorities extend to other transfer mechanisms, such as the model clauses. Already a number of companies have adopted the Privacy Shield as their preferred transfer mechanism.
On-Going Litigation Concerning Privacy Shield and Other Transfer Instruments
At this point, there is an on-going case before the courts of Ireland that may end up in the European Court of Justice. The timelines are unclear, as is the outcome of the judgment and its impact on Privacy Shield or in any other transfer instrument. The negotiators of the EU-US Privacy Shield have developed it with the expectation that it may be challenged in court but have expressed confidence in the legality of the agreement. Until a judgment is issued, Privacy Shield and the other existing transfer mechanisms continue to be a valid way to transfer data.
A degree of ambiguity is to be expected as the evolution of privacy legislation continues once the GDPR comes to force. A key aspect of the GDPR is risk management. In that sense, data transfers are not very different. It is becoming impossible to prevent data transfers in the current globalized economy. Therefore, the focus of information technology professionals needs to be around understanding the legal requirements and managing the technological and commercial risk appropriately.
For more information on the EU GDPR and Data Privacy click here.