A Friendly Reminder of Alternatives from the EU Commission
Data Privacy & Security Alert 11/25/15 Heather L. Buchta
Prior to October 6, 2015, compliance with the Safe Harbor Framework (set forth by the U.S. Department of Commerce in cooperation with the EU Commission) had provided a fairly straightforward mechanism to facilitate personal data transfers between the EU and the U.S. in light of the EU Data Directive 95/46/EC (the Directive). When the European Court of Justice ruled on the Schrems case and invalidated the Safe Harbor Framework as an adequate means to transfer personal data, the Court left companies in the U.S. and abroad scrambling to determine how best to conduct their day-to-day business. One month to the day from the Schrems decision, the European Commission released a communication to remind companies of their data transfer alternatives.
The Commission’s communication sets out the various alternative grounds upon which personal data may still be transferred outside of the EU in compliance with the Directive. While none of this information is new, the communication is very helpful in laying out the alternative courses companies can consider. And while we have noted previously in our data privacy blog that none of these alternatives will necessarily be an easy fix, the communication is a reminder that companies need to be shifting their focus from the handwringing that followed the Schrems decision to actionable steps to move forward until a more thorough agreement is reached between the EU and the U.S.
Standard Contractual Clauses
The Commission has approved four sets of standard contractual clauses that provide the sufficient safeguards necessary for Article 26(2) of the Directive. There are two sets of model clauses for transfers between data controllers and two sets of model clauses for transfers between a controller and a processor acting at the controller’s instruction. Member States cannot refuse transfers of data that are based on the standard contractual clauses; however, the Commission is careful to note that Member States of course have the right to examine the clauses in light of the Schrems ruling.
In addition, it is important to note that while most Member States do not require prior national authorization to proceed with a transfer under the standard contractual clauses, some Member States do have a system of notification or preauthorization for use of standard contractual clauses. Of course, companies can also enter into contracts that vary from the approved standard contractual clauses, but contracts of that variety would need to be approved on a case-by-case basis by the national data protection authorities.
Use of the preapproved model clauses may be a viable alternative, provided you consider the applicable Member State laws to determine whether any notification or preauthorization would be required.
Binding Corporate Resolutions
For entities that transfer data from the EU to affiliates, binding corporate resolutions (BCRs) may also be a viable alternative. Implementation of BCRs means the company doesn’t have to have contracts in place with all of the affiliate entities. Instead the entire group of affiliated companies implements rules that are binding on the entire corporate group. While potentially more efficient for transfers between related entities, under most Member States’ laws data transfers based on BCRs have to be authorized by the data protection authority in each Member State from which the personal data will be transferred. The Article 29 Working Party, which is the independent organization of representatives of all data protection authorities from Member States as well as the European Data Protection Supervisor, has set out some streamlined processes to help facilitate approval.
The Commission identifies the third alternative for companies to facilitate personal data transfers as “derogations” or, more fully, “derogations from the general prohibition of transferring personal data to entities established in a third country without an adequate level of protection.” In other words, these are the exceptions to the rule that personal data can’t be transferred from the EU to the U.S. The Directive identifies six exceptions upon which a company could rely to facilitate data transfers, which generally are as follows:
- The data subject provides unambiguous consent.
- The transfer is necessary for the performance of a contract between the data subject and the controller.
- The transfer is necessary for the performance of a contract concluded in the interest of the data subject between the controller and a third party.
- The transfer is necessary or legally required on “important public interest grounds” or for the “establishment, exercise or defense of legal claims.
- The transfer is necessary in order to protect the vital interests of the data subject.
- The transfer is made from a register intended to provide information to the public that is open to the public or to any person who can demonstrate a legitimate interest.
While these exceptions may be helpful in some instances, the Commission’s communication reminds us that the Article 29 Working Party intends these exceptions to be strictly interpreted and thus are likely fairly narrow.
For most companies, implementation of the standard contractual clauses is most likely the best solution in the short term. However, each company will need to give thought to its corporate structure and required data transfers in order to select the best alternative to fit its needs.