On October 16, 2015, the Article 29 Working Party issued a highly-anticipated statement on the implementation of the CJEU Maximilian Schrems v Data Protection Commissioner case. From the perspective of companies that relied upon Safe Harbor as their sole legal basis for importing personal data from Europe, and currently lack and are unable to quickly utilize an alternate mechanism, the statement is as notable for questions not addressed as for those that were taken on.
Here are five questions that the Article 20 Working Party statement doesn’t address for these companies.
With respect to data transferred before October 6, 2015:
1. Can the data continue to be held, as opposed to being immediately deleted?
2. If yes, can it continue to be used for the legitimate purposes for which it was collected and transferred?
3. If yes again, can it be updated via a new transfer, even in the absence of an alternate mechanism, if it is in the data subject’s interest to do so?
4. Should there be a grace period, during which new data transfers under Safe Harbor may occur while a company transitions to implementation of an alternate mechanism?
5. Should references to Safe Harbor in privacy policies, notices and websites be amended immediately?
What is to be made of the fact that the Working Party is silent on these topics? It may be that the magnitude of the sudden shift in the EU DP acquis caused by the Schrems ruling renders any attempt to formulate answers to these questions too complex and fraught with legal uncertainty. What was lawful one day became unlawful the next, but only on one side of the Atlantic. Furthermore, the focus is an unprecedented quasi-legal framework created out of thin air through political negotiation and agreement. It may also be the case that taking into consideration the uncertainty the Working Party acknowledges as to the post-Schrems viability of alternate transfer mechanisms, that they believe it best to defer questions about how one unravels previously acceptable mechanisms to a later time when the bigger picture has been brought into focus. Or the Working Party may have had intense discussions about these questions and concluded that they are best answered on a case-by-case basis by individual DPAs. The need to produce a statement that reflects a consensus or common position of all the DPAs may have played a determinative role as well.
Whatever the factors underlying the limited focus of the Working Party’s October 16 statement, it remains striking that a document professing to discuss the implementation of a judicial ruling invalidating the Safe Harbor framework has so little practical guidance to provide to thousands of Safe Harbor companies about their current data processing activities.
My own thoughts on these questions are that one has to begin by distinguishing between legal obligations that apply to European companies and those that apply to US companies. Since Safe Harbor was designed to bridge the gap that exists, it is not surprising that its demise yields quite divergent answers depending upon the jurisdiction a company is located in.
At the same time, this division of applicable law by jurisdiction does not apply to Safe Harbor companies with respect to transfers of human resources data. According to the sixth paragraph of the Safe Harbor Privacy Principles “U.S. law will apply to questions of interpretation and compliance with the Safe Harbor Principles….except where organizations have committed to cooperate with European Data Protection Authorities.” Making such a commitment is mandatory under Safe Harbor when it comes to HR data. Consequently, what follows holds only for non-HR data, or for HR data in situations in which the DPAs have not intervened.
Here is my analysis:
With respect to data transferred before October 6, 2015:
1. Under European DP law, a good case can be made that the data must be deleted immediately, along the lines that even storage of data is a form of data processing under the Directive and that no legal ground exists post-Schrems to engage in such processing. At the same time, a counter argument could be made that the CJEU Schrems ruling only applies to transfers going forward and doesn’t address the past or current legitimacy of data processing activities that were lawful when initiated. In addition, immediate deletion could have serious unintended consequences for data subjects, such as for those who have paid for products to be delivered or for surgery to be performed remotely by companies reliant upon Safe Harbor.
Under US law, the situation is less ambiguous. A company should be able to retain pre-Schrems data. While companies are explicitly required by FAQ 6 to delete transferred data if they leave the Safe Harbor program, there is nothing in the text of the Safe Harbor documents that addresses whether transferred data can or cannot continue to be held if the program itself ceases to exist. The FTC would have grounds to take enforcement action against a company that fails to continue to apply the Safe Harbor privacy principles and FAQs to the transferred data. However, I see no basis under which the FTC could take action against a company solely for failing to delete Safe Harbor data in light of the CJEU ruling.
2. Under European law, the answer to the questions as to whether data transferred before October 6, 2015 can continue to be used for the legitimate purposes for which it was collected and transferred would likely follow the answer to the previous question about storage. It should be noted that the CJEU did not find that Safe Harbor companies were using transferred data in illegitimate ways, rather that the US government was doing so, by virtue of its indiscriminate mass surveillance with no access and correction rights or recourse for data subjects. It would not be surprising if some DPAs would be amenable to allowing the continued use of pre-Schrems data, at least in some cases and for some periods of time.
Under US law, a Safe Harbor company should be able to use pre-Schrems data as long as it continues to apply the Safe Harbor Privacy Principles and FAQs to its handling of the data.
3. Under European law, the CJEU ruling makes crystal clear that new data transfers cannot be made lawfully on the basis of Safe Harbor participation, whether on an interim or a long-term basis. At the same time, if the grounds for allowing pre-Schrems data to continue to be used described above are persuasive, would they not remain so if a new data transfer was only an update of data previously supplied, such as a change in shipping address or a request for data subject access? One begins to sense a slippery slope with this line of argument, yet some DPAs might weight the interests of data subjects and decide to look the other way and focus on more consequential matters.
US law, on the other hand, contains no prohibitions against receipt of data from Europe without the protections required by European law. While a European company is now legally prohibited from exporting personal data on the basis of Safe Harbor, no such strictures apply on the receiving side.
4. Given the unequivocal rejection of Safe Harbor as a basis for new data transfers by the CJEU, it was probably a pipe dream to imagine that the Working Party could find a way to allow for a grace period that would allow Safe Harbor data exporters and importers to continue business as usual until an alternate transfer mechanism was developed and in place. The best that can now be hoped in this regard is that individual DPAs will allow an unspoken de facto grace period to come into existence.
On the US side, the fact that the US Department of Commerce has adopted the position that Safe Harbor remains open for business (see http://export.gov/safeharbor/ and my blog), however, bizarre and indefensible that may be, would appear to encourage new data transfers from European companies willing to overlook the legalities involved or from European consumers who may be unaware of the CJEU ruling or its significance.
5. By anyone’s standards, be they European or American, it would be both unethical and a violation of law to not amend policies, notices or websites that reference Safe Harbor and thereby fail to inform European data subjects that the program said to ensure protection for their US-bound data has been ruled invalid and ineffective by Europe’s top court. The adequacy of notice provided to data subjects is fundamental both in European DP law and in the more narrow Notice-and-Choice approach to privacy protection found in the US and in the Safe Harbor Privacy Principles. Furthermore, given the indispensability of transparency, such amendments should also address, at a minimum, what is being done with previously transferred data, what the company is doing about new transfers and what options the data subject has in this new regulatory environment.
So there you have it. We have received regulatory guidance that either ducks the difficult responsibility of explaining how to apply the Schrems ruling to the real world or farms that responsibility out to dozens of DPAs to sort out on their own on a case-by-case basis.
Hang on to your seat belts. We live in interesting times.