Share This Article
The European Commission issued guidelines on how to operate following the invalidation by the European Court of Justice of the Safe Harbor privacy principles for transfers of personal data between the EU and US. But this might not be the solution of this saga.
How to handle data transfers to the US?
The decision of the European Court of Justice (CJEU) that invalidated the Safe Harbor privacy principles for the transfer of personal data between the European Union and the United States created a situation of “panic” on companies relying on such rules to govern data transfers. And this was also because it was not 100% clear whether alternative solutions to the management of data transfers such as the so called model clauses or standard contractual clauses could be a valuable option since they might be challenged as well.
The European Commission now issued privacy related guidelines on how to operate during this interim period up until a new arrangement with the US is reached on how to regulated data transfers. The possible alternatives are:
Model clauses/Standard Contractual Clauses(SCCs)
Model clauses or standard contractual clauses are the current easiest and fastest solution to the problem and this is the solution more often adopted by our clients. In particular, the model clauses have been put in place to also regulate intragroup data transfers with companies located in the United States as immediate solution given that their implementation does not require any filing or approval with data protection authorities in most of the EU Member States including Italy.
Binding Corporate Rules (BCRs)
Binding corporate rules are a valid solution to handle data transfers among companies of the same group worldwide. The main downside of BCRs is that they need to be previously authorized by the data protection authority of each EU Member State where the data transfer shall be performed i.e. each EU country where a branch/subsidiary of the group is located. As a consequence their implementation is quite time consuming.
Derogations
There are some scenarios where the data transfers can be freely performed such as
- Transfers necessary for the performance of an agreement e.g. an agreement with a US supplier;
- Establishment, exercise or defense of legal claims; and
- Free and informed consent from the relevant individual.
These exceptions are considered extraordinary and for this reason the Article 29 Working Party which is a working group of European data protection authorities.
It is not the end of privacy compliance uncertainty
The guidelines expressly provide that
“The present Communication is without prejudice to the powers and duty of the Data Protection Authorities toย examine the lawfulness of such transfers in full independence. […]ย Norย can this Communication form the basis for any individual or collective legal entitlement orย claim.“
This means that even if a transfer of data to the United States occurs for instance following the adoption of the EU model clauses, a Data Protection Authority might challenge such data transfer. As a consequence, regardless of the alternative option implemented to handle data transfers, a thorough due diligence on how data is collected in the European Union and then once transferred to the US is processed is now crucial.
But the end of the uncertainty might be not too far
Andrus Ansip, the European Commission vice-president for digital issues, said
“We need an agreement with our U.S. partners in the next three months“
A new agreement on the transfer of data to the United States is crucial to preserve the business between the European Union and the United States and privacy experts will actively work on a possible solution.
