Less than two weeks after the Conclusions of the Advocate General of the European Court of Justice, the Court has ruled that the Safe Harbour framework for transferring personal data form the EU to the US is invalid.
The direct consequence of the Ruling is that the Irish Data Protection Authority will have now to examine if the complaint lodged by the Austrian student Max Schrems is well founded and to decide if the transfer of personal data to the US should be suspended on the grounds that that country does not afford an adequate level of protection.
A much wider consequence however will be the profound implications of the Ruling for those organisations transferring personal data from the EU to the US, and for the transatlantic data flows in general and the strategic partnership between the EU and US.
The ECJ Ruling will force Commission and US Administration to take action. At a Press Conference held by VP Timmermans and Commissioner Jourova some hours after the publication of the Ruling, they stated Commission’s priorities after the Ruling. First and foremost, the protection of personal data transferred across the Atlantic. Secondly, the continuation of transatlantic data flows, backbone of our economy, with adequate safeguards and finally the uniform application of EU law in the Internal Market.
The same day, US Secretary of Commerce Penny Pritzker made a statement expressing her deep disappointment in ECJ decision which creates uncertainty for both US and EU companies and consumers and puts at risk the thriving transatlantic digital economy.
The past two days have been a bit hectic. In fact, all stakeholders are trying to understand the implications of the Ruling and taking stock of the alternative data transfer solutions available
In principle, with the ECJ Ruling any transfer of data based on Safe Harbour should stop immediately. Thus, companies should find other legal basis for continuing those transfers such as BCRs, Standard Contractual Clauses. Indeed, other possibilities, mentioned by Commissioner Jourova, such as consent of the data subject or case by case authorization by the DPA, are not real alternatives for generalized transfers of data as companies do.
In the short term, the Commission and US Authorities are obliged to conclude negotiations on a new safer Safe Harbour as soon as possible, although Commissioner Jourova could not state a deadline for the negotiations. Both sides will try to convince everyone that the new scheme includes the additional safeguards required by the ECJ. However, there are certain aspects of the Ruling difficult to be incorporated in a newer Safe Harbour scheme.
Additionally the Commission has committed to issue guidance to National Data Protection Authorities to ensure a coordinated response on alternative ways to transfer data and to avoid fragmentation with a patchwork of contradicting decisions, thus providing predictability for citizens and businesses. Next week Commission will meet with Art. 29 WG gathering National Data Protection Authorities from all Member States and the Commission expects to come forward with this guidance quite quickly.
Having said that, in a certain way the whole system of international transfer of data from the EU to third countries is contested. The General Data Protection Regulation (GDPR), currently under discussion between European Parliament and Council, which basically maintains the current system with some improvements aiming at more simplification for organisations, could also be impacted and additional requirements be introduced in the light of the Ruling.
The wider issue of third countries (and more specifically US) adequacy will take time to resolve. But in the meantime, without waiting until the adoption of the Regulation, companies need to do a comprehensive assessment for their different business units in the EU and outside the EU.
Companies need to assess if implementing Company’s Binding Corporate Rules could be an option in order to facilitate intra-group transfers or if executing Standard Contractual Clauses with its sub-contractors could also streamline commercial transfers and, at the same time, guarantee an adequate level of protection.
The 6th October, while VP Timmermans and Commissioner Jourova were giving their press conference in Strassbourg stating the first reactions of the Commission on the Ruling, a new OECD publication on “Data-Driven Innovation: Big Data for Growth and Wellbeing” was being presented in Brussels.
Here, I would like to draw the attention to some of the main policy considerations of the study:
Firstly, encourage investments in data, data sharing and reuse, and reduce barriers to data flows that could disrupt the Global Value Chain.
Secondly, strike the right balance between the benefits of Openness and Closeness (legitimate concerns over Privacy and Intellectual Property Rights). Currently, there is confrontation between a trend towards Openness seen in data portability, open APIs, open standards, open data and a trend towards Closeness in user lock-in, IPRs, trade secrets, confidentiality, privacy and security.
Thirdly, put the debate at a higher level. Data as a society challenge requires a whole society approach, especially if data is the source of innovation as in the past was R&D.
Ensuring that transatlantic data flows can continue with the adequate safeguards versus reducing barriers to data flows… two contradictory views or the absolute need to bridge the gap?