The regulators on both sides of the Atlantic have offered little practical guidance. In the U.S., the Dept. of Commerce continues its preposterous and indefensible charade that Safe Harbor remains open for business and still provides a streamlined way for participating organizations to comply with European privacy requirements. The agency’s message seems to be that this whole Schrems brouhaha is a European problem and that Safe Harbor companies should sit tight and bide their time, while the Department sorts things out with the Europeans.
In the EU, the DPAs have said little collectively besides indicating that new transfers under Safe Harbor are not allowed and that model contracts and BCRs are at least temporally acceptable, although they too could be found invalid in the months ahead. The Article 29 Working Party has been silent on some very key questions, such as: What should be done with data transferred before the Schrems decision? If a company transfers the same data sets, using the same systems, after the Schrems decision that it did before, is that a “new transfer”? Is there a grace period in enforcement while companies move towards alternatives such as model contracts and BCRs? Or one that extends until the continued viability of these options is established?
The reason for the lack of guidance from the Article 29 Working Party is at least understandable: they have been unable to reach a consensus on what guidance to give. Instead, we see individual DPAs proceeding in significantly different directions:
- In the UK, the ICO has urged companies to keep calm and not rush to other transfer mechanism that may turn out to be less than ideal. The ICO took the position in October 2015 that Safe Harbor at least provides some genuine protections for transferred data, that UK data controllers have the right under UK law to make their own adequacy assessments and that it had little appetite to go after companies continuing to rely upon Safe Harbor. On February 11, 2016, acknowledging that companies have been seeking additional clarity about data transfers to the US, the ICO re-affirmed its hands-off approach and said that any further guidance would have to await the completion of assessments of the Privacy Shield and a European Commission decision on its adequacy.
- In Germany, by contrast, the Schleswig-Holstein DPA announced in mid-October 2015 that data transfers to the US based upon model contracts should be terminated or suspended, with DPAs in Bremen and Berlin concurring with this definitive position the following day. A week or so later, all the German DPAs stated that they would not approve any new transfers of data based upon BCRs or ad hoc data export contracts.
- In Spain, the AEPD announced on November 27 that it had sent a letter to all companies operating in Spain that had previously notified the AEPD of cross-border data transfers to Safe Harbor certified companies, given them until January 29, 2016 to inform the authority of what mechanisms for data transfers they were now using.
- In France, the CNIL let actions speak louder than words in announcing on February 8, 2016 that it had given Facebook three months to either cease transfers of personal data to the US on the basis of Safe Harbor or face sanctions.
This divergence of enforcement stances is likely to accelerate in the months ahead, in what might prove to be the largest but last display of decentralized regulatory decision-making before the General Data Protection Directive comes into effect.
So, in this highly uncertain regulatory environment and returning to our main question, what should a US company that had previously relied upon the Safe Harbor framework do?
At a minimum, privacy policies and notices that reference Safe Harbor should be amended to acknowledge the current situation and the ongoing bi-lateral efforts to forge a new agreement, while pledging continued adherence to the Safe Harbor Privacy Principles in the processing of any personal data transferred under the framework. Failure to make such an amendment would be indefensible, violating the basic principles of notice and choice that constitute the foundation of the Safe Harbor framework. Such a stance could also undermine the integrity of US management in the eyes of European employees and colleagues. In addition, a commitment to either explore or pursue use of an alternative transfer mechanism should be included in any amended notice, if in fact a decision has been reached to do so.
Beyond that, a company should take into account its jurisdictional footprint in the EU and the depth of its commitment to obey the laws of nations in which it operates. The compliance challenge for a US company with employees only in the UK or Ireland is clearly far different from one with employees only in Germany or France. The former can afford to follow the Dept. of Commerce-UK ICO line and sit tight, although it may not want to if it recognizes the shallowness and expediency of such an understanding of European data protection law.
Companies operating in any of the member states with a more active data protection authority need to be guided by the advice provided by each. If model contracts or BCRs are the only available data transfer options in a particular member state, these should be evaluated and pursued if appropriate. Nothing satisfies a European DPA more than genuine efforts being made to come into compliance, even if this takes time to achieve. Situations in which the advice of one DPA is incompatible with that of another will require flexibility and creative problem-solving.
Where model contracts or BCRs prove to be impractical or undesirable, there is simply no other alternative, if a company operating in the EU is avoid acting illegally, but to stop transferring personal data from the EU to the US in a bulk and recurring manner. This could be done by processing European personal data solely within Europe, or by transferring only aggregate, statistical or pseudonymous data to the US. Transfers of limited amounts of personal data in highly defined contexts – such as the identifying information needed for the registration and exercise of stock options – fortunately may continue on the basis of consent under existing regulatory guidance.
As disruptive and undesirable as such changes may be, European data protection law will require them if the new Privacy Shield agreement fails to come to fruition or to pass regulatory and legal scrutiny. Safe Harbor companies should begin planning for such an eventuality. No one hopes it will come to this, but it could happen.