By Gail Crawford and Ulrich Wuermeling

As the whole world now knows, the UK voted to leave the European Union (EU) in its historic referendum on 23rd June by a vote of 51.9 percent in favour of “leave” to 48.1 in favour of “remain”. This blog focusses on how that decision will impact both UK and global organisations’ compliance with data protection law.

The referendum does not start the exit process. To formally start the exit process, the UK has to serve notice under Article 50 of the Treaty on the European Union which triggers a period for negotiation of the terms of the UK’s exit; with exit taking effect once those negotiations have concluded, or after two years (if sooner), irrespective of what terms have (or have not) been agreed. The two year cut-off period can only be extended with unanimous consent from all EU member states.

By Ulrich Wuermeling, Jennifer Archie & Lore Leitner

On March 17, 2016, the Civil Liberties Committee convened to discuss whether the Privacy Shield framework that will replace Safe Harbor provides adequate protection to the data of EU citizens. A number of experts were questioned including: the US lead negotiator, the EU Data Protection Supervisor, members of the Article 29 Working Party and Max Schrems, whose court case against Facebook led to Safe Harbor’s downfall.

The meeting of the Civil Liberties Committee follows on from the European Commission’s publication last month of the legal texts that will form the basis of the EU-US Privacy Shield and a Communication summarizing the action taken to rebuild trust in the data flows from the EU to the US. The European Commission also made public a draft “adequacy decision” establishing that the safeguards provided under the Privacy Shield are equivalent to the EU data protection standards. The documents provide a better idea of the substance and structure of the Privacy Shield, announced by the European Commission on February 2, 2016 and confirm the US commitment to ensuring that there will be no indiscriminate mass surveillance by its national security authorities.

Focus areas of the Privacy Shield

From the material made public, the new framework focuses on four areas:

By Ulrich Wuermeling, Gail Crawford and Jennifer Archie

Earlier this week, the European Commission announced that a “political” agreement has been reached on a new framework for data flows from the EU to the US. The announcement highlights a few changes from the old Safe Harbor regime, such as more direct and active oversight by US regulators, more stringent privacy protections, and establishing an ombudsman at the State Department for EU citizens who wish to complain about data protection matters. However, as a legal and compliance matter, US companies who previously relied upon Safe Harbor to transfer EU data take significant compliance risk if they do nothing in anticipation of newly branded EU-US Privacy Shield framework being formally approved, given it is not yet documented and will be subject to review by the EU data protection supervisory authorities in the so-called Article 29 Working Party as well as representatives of the Member States and the European Parliament.

By Ulrich Wuermeling

On November 6, the European Commission issued a comprehensive Communication on the consequences of the Schrems Judgment of the Court of Justice of the European Union (ECJ). In the Communication, the Commission puts national data protection authorities in their place by stating that Model Contracts are a valid alternative measure to provide adequate safeguards for data transfers to the US. According to the Commission, even in countries where use of the Model Contracts require permission by national data protection authorities, such permission has to be granted if the Model Contracts are used without modifications. Only the ECJ would have the power to invalidate the Commission Decisions on Model Contracts. According to the Schrems Judgement, the rights of the data protection authorities with respect to such Decisions are limited to examining them and bringing proceedings against them in court, if the authority believes adequate protection has not been provided.

On October 16, the data protection authorities as organized in the so-called Article 29 Working Party claimed in a Statement that they will continue their analysis on the impact of the Schrems Judgment on other transfer tools. Prior to that Statement, some regional data protection authorities had gone further and claimed that current reliance upon Model Contracts as an alternative transfer mechanism could be inadmissible after the Schrems Judgment (notably the data protection authority of Schleswig-Holstein and Rheinland-Pfalz in Germany). A joint Statement of the German data protection authorities followed and caused further confusion. It stated that the data protection authorities will not give permission to data transfers based on data export contracts. However, the Statement only referred to individually drafted data export contracts which are rarely used in practice anyway. One has to keep in mind that in Germany the use of Model Contracts does not need permission by data protection authorities in any event.

By Brian Meenagh

On October 26, 2015, Raja Al Mazrouei, the Commissioner for Data Protection for the Dubai International Financial Centre (the DIFC), issued guidance on the adequacy of US Safe Harbor for the purpose of exporting personal data from the DIFC. The guidance is significant for organisations that transfer personal data from the DIFC to the US and such organisations should urgently review the basis upon which they transfer personal data from the DIFC to the US to ensure that they continue to comply with the DIFC Data Protection Law (No 1 of 2007).

The guidance follows the decision of the European Court of Justice (the ECJ) in Case C-362/14 – Maximillian Schrems v Data Protection Commissioner that Decision 2000/520 of the European Commission, which stated that Safe Harbor-certified US companies provide adequate protection for personal data transferred to them from the EU (the Safe Harbor Adequacy Decision), is invalid.

The key message from the guidance is that:

“the invalidation of the Adequacy Decision by the ECJ provides cause for the Commissioner to reconsider the adequacy status previously afforded under the Law to US Safe Harbor Recipients. However, the Commissioner also understands that there are ongoing negotiations between Europe and US authorities towards an improved Safe Harbor framework and that these negotiations are well advanced.

By Ulrich Wuermeling

On October 26, the European Commissioner Věra Jourová addressed the Parliament Committee on Civil Liberties, Justice and Home Affairs to discuss the consequences of the Schrems Judgment of the Court of Justice of the European Union (ECJ).

Jourová commented on the status of the negotiations with the US to find a new solution for data transfers: “There is agreement on these matters in principle, but we are still discussing how to ensure that these commitments are binding enough to fully meet the requirements of the Court.” She plans to visit the US mid-November and hopes to make further progress on a new arrangement with the US.

By Ulrich Wuermeling

An early Position Paper of the German data protection authority of Schleswig-Holstein on the Schrems Judgment of the Court of Justice of the European Union (ECJ) gave little hope for practical alternatives to Safe Harbor. On October 26, all German data protection authorities published a more reasoned joint Statement that follows the approach taken by the Article 29 Working Party. It still includes some surprises in the details, but also offers hope for Model Contracts to be able to serve at least as an interim solution.

The Statement of the German data protection authorities (GDPA) starts with the unsurprising conclusion that data transfers cannot rely on the Safe Harbor Decision anymore. It continues to mention that the Schrems Judgment also puts data transfers under other instruments (like BCRs or Model Contracts) in question. The GDPAs announcement that they will not approve new BCRs or contractual solutions for data transfers in the US and have also requested that the German government allow data protection authorities to bring claims to courts (as required by the ECJ in the Schrems Judgment). The Statement of the GDPAs is short and obviously a compromise between differing views.

By Gail Crawford, Ulrich Wuermeling and Jennifer Archie

The so called Article 29 Working Party met on October 15, 2015 to discuss the consequences of the Schrems Judgment of the European Court of Justice (ECJ). On October 16, 2015, the Working Party published a Statement summarizing their initial conclusions. The Working Party includes representatives of the national data protection authorities of the EU Member States, the European Data Protection Supervisor and the European Commission.

The Working Party states that data transfers made under Safe Harbor are unlawful following the Judgment. However, enforcement actions of the national data protection authorities shall only take place, if no other solution is found by the end of January 2016. In the opinion of the Working Party, such solution could include an intergovernmental agreement between the EU and US with reference to a revised Safe Harbor framework. It will be seen whether the US government will be able to agree to limit law enforcement access and to provide remedies for data subjects as required by the European Court of Justice, to the satisfaction of the EU. Due to this uncertainty, businesses will not be able to wait until January 2016, because they will not be able to implement alternative solutions in time, if the governments do not agree.

By Jennifer Archie, Gail Crawford and Ulrich Wuermeling

On October 6, the European Court of Justice ruled that Decision 2000/520 of the European Commission, which stated that Safe Harbor-certified US companies provide adequate protection for personal data transferred to them from the EU (the Safe Harbor Adequacy Decision), is invalid (Case C-362/14 – Maximillian Schrems v [Irish] Data Protection Commissioner). The judgment is immediately effective without a grace period. The Data Protection Authorities of the EU Member States (Article 29 Working Party) have already scheduled a working group emergency meeting to discuss the consequences of the judgment, but it is unlikely that the meeting will lead to a simple solution for the 4,000+ US companies who rely on Safe Harbor. The European Commission has also published a press release with a short set of guidelines.

The Reasoning of the Court

In its judgment of 6 October 2015, the Court stated that

  • “legislation permitting the public authorities to have access on a generalized basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life, as guaranteed by Article 7 of the Charter”

The recent showdown over renewal of certain provisions of the USA Patriot Act (often called simply the Patriot Act) and the subsequent enactment of the USA Freedom Act have raised a number of questions about the ongoing impact of these laws on data traversing or being stored in the United States. While the new law takes the NSA out of the direct business of maintaining metadata (which includes phone number called, the time and duration of the call, and location