centre of attention
Harbor to send their data to the US.
These authorities stated that, if no
appropriate replacement solution
was found with the US by the end
of January 2016, they would be
‘committed to take all necessary
and appropriate actions, which may
include coordinated enforcement
actions’. In fact, the Safe Harbor
programme had been the subject
of criticism for some time, certainly
long before the European Court’s
decision. Negotiations had been
underway between the European
Commission and the US Department
of Commerce since April 2014
when the European Parliament
requested the suspension of the
Safe Harbor framework after the
documents leaked by Edward
Snowden revealed the extent of US
government mass surveillance.
In the end, a few days after the
January deadline (2nd February
2016), there was a joint EU-US
announcement that a replacement
for Safe Harbor had been agreed,
namely the Privacy Shield program.
Privacy Shield looks to be, in many
ways, a reinforced version of Safe
Harbor, with a greater emphasis on
transparency and redress mechanisms
for individuals looking to find out where
their data is being sent, what it is being
used for and – where appropriate – to
object to the processing.
The Privacy Shield program is not
yet ready for US companies to join,
as it has to pass through a formal
EU approval process to ensure that
it provides adequate protection
for EU personal data. During this
process a number of EU institutions
analyse the details of the proposed
program in order to assess whether
it will – when viewed in its entirety
– provide adequate protection for
individuals’ data.
The Shield or the open sea?
Safe Harbor was not the only
mechanism for sending EU data to
the US. As a result, there has been
a variety of approaches, ranging from
those companies which were ready
with a Safe Harbor alternative the day
after the invalidity judgment to others
who have been maintaining a ‘wait and
see’ position, in the hope of replacing
Safe Harbor with Privacy Shield
membership. Shortly after the Safe
Harbor framework was invalidated, the
European data protection authorities
confirmed that there were still other
valid legal bases available for the
EU-US transfer of personal data.
One involves the implementation
of ‘standard contractual clauses’: a
set of model clauses approved by
the European Commission which
apply to the transfer of personal
data from within the European
Economic Area (EEA) to inadequate
‘third’ countries. If parties wanting
to transfer personal data incorporate
the standard contractual clauses into
agreements between them (and do
so in unamended form), this provides
a legal basis for those transfers.
Another legal basis involves ‘Binding
Corporate Rules (BCRs)’: drawing up
a set of binding internal rules which
ensure the protection of personal
data wherever it is transferred within
a company or group of companies.
Once drafted by the company, BCRs
must be authorised by relevant national
data protection authorities, and the
subsequent authorisation provides the
legal basis for the transfers of data.
New EU data laws
on the horizon
There is no ‘one-size-fits-all’ solution
for data transfers leaving the EU.
What will be most appropriate for one
company may not suit another, and
selecting the most appropriate solution
can be both difficult and strategically
critical. Businesses should ensure that
their chosen solution not only satisfies
current compliance demands, but also
the imminent substantial changes in
EU data protection law introduced by
the General Data Protection Regulation
(GDPR), expected to be in force from
mid-2018. The GDPR is a major new
piece of EU legislation that is being
introduced to ensure consistent and
enhanced data protection laws across
Europe. It brings in much more serious
sanctions for non-compliance than are
currently in place: the maximum fine
that can be imposed is set at €20m or
four per cent of the annual worldwide
turnover for the preceding financial
year, whichever is higher. Stronger
accountability requirements are also
featured, meaning that businesses
need not only to comply with the GDPR
but also provide evidence of such
compliance, in the form of policies
and documented processes. The
GDPR also preserves the restrictions
on the export of personal data and
explicitly refers to BCRs, confirming
that this particular data transfer
solution is expected to be available for
the long term.
Ultimately, the best course of action
for businesses wanting to shore up their
international data flows depends on a
range of factors including their individual
characteristics, capabilities and
resources. The main options currently
available are standard contractual
clauses, BCRs, and joining the Privacy
Shield program, once available. Each of
these options has its appeal; however,
we would expect that international
businesses will increasingly choose
BCRs in future. Even without a crystal
ball at our disposal, we predict that
the future for international data flows
will not be plain sailing.
13