Where are we now on transfers of personal data to the US?

The repercussions of the decision of the Court of Justice of the European Union (CJEU) in Schrems v Data Protection Commissioner (Schrems) that the EU-US Safe Harbor framework was invalid are continuing to be felt nearly four months after the judgment.

This article explains the background to the judgment, looks at what has happened in the four months since the decision and examines what business should do in relation to any transfers of personal data to the US.

Data protection principle 8 – international transfers of personal data

The Data Protection Act 1998 gives effect to the eight data protection principles from the EU Data Protection Directive that data controllers must comply with. Principle eight concerns the transfer of data outside the European Economic Area:

“Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.”

There are three main ways that businesses can comply with this principle when transferring data internationally.

  1. Transfer the data to a country that the European Commission has decided provides an adequate level of protection for personal data

    The Commission has decided that twelve countries provide an adequate level of protection for the processing of personal data. In the case of the US, the Commission decided in 2000 that the Safe Harbor framework provided adequate protection for data transferred to US companies that had signed up to the framework. This decision has been invalidated by the CJEU’s decision in Schrems for the reasons explained below.

  2. Transfer the data under a contract that provides an adequate level of protection

    There are model contractual clauses, approved by the Commission, that automatically provide an adequate level of protection for personal data transferred under contracts that incorporate the clauses. It is also possible for businesses to use amended clauses that they consider provide an adequate level of protection, but these could be challenged on the basis that such an assessment is mistaken, unlike the model clauses (although the law on whether the model clauses are also subject to challenge is currently developing, as explained below).

  3. Assess that the level of protection for data subjects’ rights is “adequate in all the circumstances of the case”

    In order to rely on this method, businesses would need to conduct a risk assessment for the transfer of the data to determine that the protection offered was “adequate in all the circumstances of the case”. This assessment should take into account:

  • the nature of the personal data;
  • the country of origin of the data;
  • the country of final destination of the data;
  • how the data will be used;
  • how long the data will be used for; and
  • the security measures to be taken in respect of the data.

The Information Commissioner’s Office (ICO) offers guidance for businesses on how to conduct this assessment.

The judgment in Schrems and the end of the Safe Harbor framework

On 6 October 2015 the CJEU held in Schrems that the Safe Harbor framework did not provide adequate protection for personal data transferred to the US.

The main problems that the CJEU identified with the framework were:

  1. that US authorities had the ability to access personal data beyond the extent to which it was strictly necessary for the protection of national security; and
  2. it was not possible for data subjects to take action in the US for breach of data protection laws relating to their personal data.

The CJEU also held that even if the Commission has decided that a country offers an adequate level of protection for personal data, national data protection authorities (such as the ICO) may still examine complaints that an individual’s data has not been adequately protected.

The consequence of Schrems is that the Commission’s decision that the Safe Harbor framework provides adequate protection for personal data can no longer be relied on for compliance with principle 8.

The EU-US Privacy Shield

On 2 February the Commission announced the EU-US Privacy Shield as the intended replacement for the Safe Harbor framework. The Commission’s press release highlights three key features of the Privacy Shield that are intended to meet the CJEU’s criticisms of the Safe Harbor framework:

  • “Strong obligations on companies handling Europeans' personal data and robust enforcement”;
  • “Clear safeguards and transparency obligations on U.S. government access”; and
  • “Effective protection of EU citizens' rights with several redress possibilities”.

Disappointingly, however, nearly a month later the content of the framework has still not been published. The Article 29 Working Party (WP29), an EU advisory body comprised of national data protection authorities that will formally advise on whether the Privacy Shield does provide an adequate level of protection for personal data, requested information from the Commission relating to the proposed framework by the end of February. Nevertheless, at the time of writing there has still been no public release of this information.

A further practical concern for businesses is that the Commission’s announcement is only the start of a four-stage process towards a finding that the Privacy Shield provides adequate protection for personal data. Not least, the WP29 has identified four areas that it considers must be appropriately addressed by the Privacy Shield:

  1. processing should be based on clear, precise and accessible rules;
  2. access to personal data by intelligence services should be necessary and proportionate;
  3. there should be an effective, impartial oversight mechanism; and
  4. there should be effective individual remedies for breach of data protection law.

At the announcement of the Privacy Shield, Commissioner Jourová expressed her wish that the Privacy Shield will be implemented within the next three months. While the signing of the US Judicial Redress Act last week is an important step towards the implementation of the Privacy Shield, Commissioner Jourová‘s timescale seems optimistic to say the least.

How should businesses do at the moment?

While formally the transfer of data to the US solely under the now-invalid Safe Harbor framework is a breach of data protection law, the ICO has emphasised that it is unlikely to use its enforcement powers in respect of transfers of data to the US until the adoption of the Privacy Shield:

“We are not rushing to use our enforcement powers. There is no new and immediate threat to individuals’ personal data that has suddenly arisen that we need to act quickly to prevent. Of course the ICO will consider complaints from affected individuals whatever transfer mechanism you’re relying on but we will be sticking to our published enforcement criteria and not taking rushed action whilst there’s so much uncertainty around and solutions are still possible.”

The ICO’s official guidance is therefore “don’t panic and don’t rush” given the current legal uncertainty.

If businesses were particularly concerned about the transfer of data to the US, they could look to comply with principle eight in another manner; the ICO maintains an accessible guide on compliance with the principle and its exceptions. However, the alternative procedures also lack legal certainty – as the WP29 has identified, there is a risk that the other mechanisms may also be affected by the judgment in Schrems. For example, regardless of corporate rules and contractual provisions, US authorities could still access personal data stored in the country, one of the criticisms made of the Safe Harbor framework by the CJEU.

Overall, therefore, while progress has been made towards the adoption of the Privacy Shield to replace the Safe Harbor framework, it seems unlikely that businesses will find that transfers of personal data to the US are plain sailing for some months yet.

Further information

If you would like further information on this topic, please see the ICO’s guidance on the international transfer of personal data and its interim guidance on the Safe Harbor decision.