DCN June 2016 | Page 13

centre of attention Harbor to send their data to the US. These authorities stated that, if no appropriate replacement solution was found with the US by the end of January 2016, they would be ‘committed to take all necessary and appropriate actions, which may include coordinated enforcement actions’. In fact, the Safe Harbor programme had been the subject of criticism for some time, certainly long before the European Court’s decision. Negotiations had been underway between the European Commission and the US Department of Commerce since April 2014 when the European Parliament requested the suspension of the Safe Harbor framework after the documents leaked by Edward Snowden revealed the extent of US government mass surveillance. In the end, a few days after the January deadline (2nd February 2016), there was a joint EU-US announcement that a replacement for Safe Harbor had been agreed, namely the Privacy Shield program. Privacy Shield looks to be, in many ways, a reinforced version of Safe Harbor, with a greater emphasis on transparency and redress mechanisms for individuals looking to find out where their data is being sent, what it is being used for and – where appropriate – to object to the processing. The Privacy Shield program is not yet ready for US companies to join, as it has to pass through a formal EU approval process to ensure that it provides adequate protection for EU personal data. During this process a number of EU institutions analyse the details of the proposed program in order to assess whether it will – when viewed in its entirety – provide adequate protection for individuals’ data. The Shield or the open sea? Safe Harbor was not the only mechanism for sending EU data to the US. As a result, there has been a variety of approaches, ranging from those companies which were ready with a Safe Harbor alternative the day after the invalidity judgment to others who have been maintaining a ‘wait and see’ position, in the hope of replacing Safe Harbor with Privacy Shield membership. Shortly after the Safe Harbor framework was invalidated, the European data protection authorities confirmed that there were still other valid legal bases available for the EU-US transfer of personal data. One involves the implementation of ‘standard contractual clauses’: a set of model clauses approved by the European Commission which apply to the transfer of personal data from within the European Economic Area (EEA) to inadequate ‘third’ countries. If parties wanting to transfer personal data incorporate the standard contractual clauses into agreements between them (and do so in unamended form), this provides a legal basis for those transfers. Another legal basis involves ‘Binding Corporate Rules (BCRs)’: drawing up a set of binding internal rules which ensure the protection of personal data wherever it is transferred within a company or group of companies. Once drafted by the company, BCRs must be authorised by relevant national data protection authorities, and the subsequent authorisation provides the legal basis for the transfers of data. New EU data laws on the horizon There is no ‘one-size-fits-all’ solution for data transfers leaving the EU. What will be most appropriate for one company may not suit another, and selecting the most appropriate solution can be both difficult and strategically critical. Businesses should ensure that their chosen solution not only satisfies current compliance demands, but also the imminent substantial changes in EU data protection law introduced by the General Data Protection Regulation (GDPR), expected to be in force from mid-2018. The GDPR is a major new piece of EU legislation that is being introduced to ensure consistent and enhanced data protection laws across Europe. It brings in much more serious sanctions for non-compliance than are currently in place: the maximum fine that can be imposed is set at €20m or four per cent of the annual worldwide turnover for the preceding financial year, whichever is higher. Stronger accountability requirements are also featured, meaning that businesses need not only to comply with the GDPR but also provide evidence of such compliance, in the form of policies and documented processes. The GDPR also preserves the restrictions on the export of personal data and explicitly refers to BCRs, confirming that this particular data transfer solution is expected to be available for the long term. Ultimately, the best course of action for businesses wanting to shore up their international data flows depends on a range of factors including their individual characteristics, capabilities and resources. The main options currently available are standard contractual clauses, BCRs, and joining the Privacy Shield program, once available. Each of these options has its appeal; however, we would expect that international businesses will increasingly choose BCRs in future. Even without a crystal ball at our disposal, we predict that the future for international data flows will not be plain sailing. 13