Safe Harbor solution invalid; alternative required
The European Court of Justice passed an important judgment on 6 October 2015 that complicates the exchange of personal data with the USA. The European Commission’s “Safe Harbor Decision” was declared invalid in that judgment. Companies that currently pass on personal data to companies in the USA on the basis of the Safe Harbor Decision are therefore acting in breach of the law. The European data protection authorities, affiliated in the Article 29 Working Party, have expressly confirmed this, while announcing that they will enforce the new rules as from January 2016. You are therefore well-advised to establish in the short term on the basis of what regime your company exchanges personal data with the USA.
Personal data are exchanged with US companies more frequently than you might think. Such exchange of data may consist of companywide personnel accounts in the USA, customer accounts at a US cloud provider, a 24-hour helpdesk for system maintenance with employees in the USA, Web analytics performed in the USA, etc. If personal data are passed on to the USA on the basis of a Safe Harbor certification of the US company, new agreements will have to be made, since that regime has been declared in breach of European privacy rules.
Under the Wet bescherming persoonsgegevens (Dutch Personal Data Protection Act), personal data may not be passed on to a country outside the EU if that country does not guarantee an appropriate level of protection – as is the case in the USA. The current regulations sets out a few exceptions from this prohibition. Data may be passed on in the following circumstances, among others:
- if the data subject has given his or her unequivocal consent;
- if the data must be passed on in order to perform an agreement with the data subject;
- if a model contract of the European Commission is used; or
- if an export permit has been issued by the Minister of Safety and Justice.
In addition to these possibilities, personal data may be passed on within a group subject to Binding Corporate Rules within its own organisation.
In light of this judgment of the European Court of Justice, however, the question is whether the remaining possibilities of passing on personal data from Europe to the USA will remain valid in the long run. An important reason of the Court of Justice to declare the Safe Harbor regime invalid is the fact that the US authorities can gain access to the personal data made available to US companies on the basis of that regime. The reason for this is that the US rules on national security have priority over agreements between European and US companies, also in the case of model contracts, consent, Binding Corporate Rules or an export permit. That cannot be avoided by means of agreements between companies or with data subjects; international agreements will have to be made for that purpose.
In its statement of 15 October 2015 the Article 29 Working Party (on which the President of the Dutch Data Protection Authority also has a seat) first called on the European Member States and institutions to negotiate with the USA and make agreements on the passing on of personal data from the EU to the USA. The Article 29 Working Party will also investigate what effect the judgment passed by the European Court of Justice will have on the other means of passing on data. In the interim companies can continue to make use of the European Commission’s model contracts. However, the Article 29 Working Party notes that the national supervisory authorities may investigate specific cases, for instance on the grounds of complaints.
The Article 29 Working Party expects companies to take measures to reduce the privacy risks involved in the passing on of personal data to the USA. The national supervisory authorities will furthermore take action, including coordinated enforcement efforts, if no new agreements have been made between Europe and the USA by the end of January 2016.
In sum, the passing on of personal data to the USA under their Safe Harbor regime is unlawful and companies have until the end of January 2016 to find alternative solutions. The conclusion of model contracts currently appears to be the fastest and easiest solution. In that case the contents of the appendices to those contracts and the monitoring of compliance with those contracts will have to be carefully considered. The other aspects of the privacy regulations, including the required data processing ground, data protection, duty of disclosure and notification to the Dutch Data Protection Authority, must then also have been observed.
In order to avoid high penalties in the future it is advisable to identify all current exchanges of personal data with US companies, regardless of whether or not they take place on the basis of the Safe Harbor Decision. Moreover, in light of the new rules on the duty to report data leaks, you are also well-advised to critically review your existing (model) contracts and their appendices.
For more information on this subject please contact Monique Hennekens.