After the European Court of Justice invalidated the fifteen year-old Safe Harbor framework last month, many companies were left wondering how to proceed. People watching and analyzing the issue all around the world have weighed in on alternative mechanisms and what a new framework should look like. Today, the European Commission (EC) issued its clarification and guidance on the issue, and most importantly alternative mechanisms.
The EC offered some hope of a new Safe Harbor framework saying, “Following the judgment, the Commission remains committed to the goal of a renewed and sound framework for transatlantic transfers of personal data. In this respect, it has immediately resumed and stepped up its talks with the U.S. government in order to ensure that any new arrangement for transatlantic transfers of personal data fully complies with the standard set by the Court.” The Commission also analyzed and weighed in on alternative mechanisms available, namely Standard Contractual Clauses (aka Model Clauses) (SCCs) and Binding Corporate Rules (BCRs).
Standard Contractual Clauses
The Commission made it clear Member States are obligated to accept the Commission-approved SCCs and thus cannot refuse the transfer of data to a third country (that does not have an adequate data protection framework in place) solely because these SCCs do not offer sufficient safeguards. However, the Commission made it equally clear, states retain the power (through their Data Protection Authorities (DPA)) to maintain a notification and preauthorization system for the use of these SCCs. Meaning, states can review and compare the clauses contained in a contract to the Commission-approved SCCs to ensure no changes have been made. If the contract does not contain any changes, authorization is essentially automatically granted.
The Commission’s adoption of the approved SCCs does not prevent companies from creating ad hoc contractual agreements with states nor does it prevent states from creating their own standardized contracts. Most companies who use these contracts to carry out their international data transfers, however, base them on the Commission-approved SCCs.
Of note, the Commission did indicate the legality and adequacy of these contracts could be challenged. Member states can bring the issue to their national courts, which can in turn make a request for a preliminary ruling to the Court of Justice.
Binding Corporate Rules
The Commission noted that BCRs are adequate to allow international data transfers. Keep in mind, most Member States’ laws require that BCRs are authorized by the DPA in each Member state from which the multinational company intends to transfer data.
Derogations
The Commission also affirmed the transfer of data in the absence of SSCs and BCRs when an alternative derogation (set out in Article 26(1) of the Directive 95/46/EC) applies. The most simple exemption from the ruling being consent of the data subject.
The Commission pointed out two important conditions to recall. First, irrespective of the specific legal basis a company relies on (an adequacy finding, SCCs, BCRs, etc.), transfers to a third country are only lawful if the data was originally collected and processed by the data controller in the EU in accordance with applicable Member State laws. Second, in the absence of a Commission adequacy finding, data controllers are responsible for ensuring their data transfers comply with the sufficient safeguards of the Directive. The Commission also reiterated that Member States’ DPA have full investigative and enforcement power.
Globig.co is a global knowledge platform and vetted vendor marketplace that accelerates global expansion by providing knowledge, resources, tools, and connections needed to go global. Globig will continue to monitor and provide updates as the data transfer framework and alternative mechanisms progress. Join us!