On November 6, 2015, the European Commission issued its widely anticipated Communication to the European Parliament and Council about the effect of the Court of Justice of the European Union’s (CJEU) Schrems decision, which invalidated the U.S.-EU Safe Harbor framework. The Commission expresses a commitment to negotiate with the U.S. Government a new framework for cross-border transfers of personal data. The Commission also emphasizes that the Communication does not have binding legal effect, but concludes that:
[A]lternative tools authorising data flows can still be used by companies for lawful data transfers to third countries like the United States [while] a renewed and sound framework for transfers of personal data to the United States remains a key priority . . .
Until such time as the renewed transatlantic framework is in place, companies need to rely on the alternative transfer tools available. . . In this regard, the DPAs have a central role to play. As the main enforcers of the fundamental rights of data subjects, the DPAs are both responsible for and empowered to supervise data transfers from the EU to third countries, in full independence. The Commission invites data controllers to cooperate with the DPAs, thereby helping them to effectively carry out their supervisory role.
The DPAs remain competent to examine claims within the meaning of Article 28(4) of Directive 95/46/EC that the data transfer complies with the requirements laid down by the Directive (as interpreted by the Court of Justice), but cannot make a definitive finding. Rather, the member states have to provide for the possibility to bring the case before a national court, which in turn can trigger the jurisdiction of the Court of Justice by way of a request for a preliminary ruling.
The Communication summarizes the various mechanisms available to authorize cross-border personal data transfers to countries not deemed adequate, including the use of Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs) and various other mechanisms that remain available in appropriate circumstances. These mechanisms (known as derogations) include contractual necessity and unambiguous prior consent. The Commission emphasizes that transfers can only be made if personal data is first collected and processed by the relevant data controller in accordance with applicable EU national laws. Absent adequacy, data controllers are responsible for ensuring sufficient safeguards for transfers. Under SCCs and BCRs, if a data importer believes that local country conditions may prevent it from performing its commitments, it must inform the data exporter, who should take steps as appropriate to ensure additional safeguards are in place.
With respect to BCRs, the Commission emphasizes that they are a tool for intragroup transfers. In most member states, transfers under BCRs must be authorized by the DPA in the jurisdiction from which personal data is transferred, with the streamlined lead DPA approval process available. The Commission noted that individuals are third-party beneficiaries to the BCRs and can bring complaints to DPAs and actions at member-state courts.
With respect to SCCs—the most broadly accessible method following the Schrems decision—the Commission makes a series of key points:
- Binding nature of SCCs: Since Commission decisions are binding in their entirety in the member states, incorporating the SCCs in a contract means that national authorities are in principle under the obligation to accept those clauses. Consequently, they may not refuse the transfer of the data to a third country on the sole basis that these SCCs do not offer sufficient safeguards.
- Consequences of CJEU ruling: Member states have the power to examine SCCs in the light of the requirements set out by the Court in the Schrems
- Role of CJEU: In case of doubt, DPAs should bring a case before a national court, which in turn may make a request for a preliminary ruling to the CJEU.
- Notification or pre-authorization: While there is no prior authorization requirement in many member states’ legislation transposing Directive 95/45/EC, some member states maintain a system of notification or pre-authorization for the use of the SCCs. Where they do so, the national DPA must compare the clauses in the contract at issue with the SCCs and verify that no changes have been made. If the clauses have been used without amendment, the authorization is automatically granted in principle.
- Additional Measures: Data exporters may have to take additional measures. For example, if a data importer informs a data exporter that certain conditions may prevent the importer from fulfilling its obligations under the contract, the exporter must ensure appropriate safeguards are put in place.
- Supervision of DPAs: Regarding the application of SCCs, both data exporters and, by subjecting themselves to the contract, data importers, fall under the supervision of DPAs.
- Rights of Data Subjects: EU data subjects as third party beneficiaries to the SCCs can invoke rights derived from the SCCs before a DPA or a member state court.
- Compatibility of SCCs with other instruments: The adoption of SCCs does not prevent companies from relying on other instruments, such as ad hoc contractual arrangements, to demonstrate that their transfers take place with sufficient safeguards within the meaning of Article 26(2) of Directive 95/46/EC. Pursuant to Article 26(2) of the Directive, these must be approved on a case-by-case basis by national authorities. Some DPAs have developed guidance in this field, including standardized contracts or detailed rules to be followed in drafting data transfer clauses.
Throughout, the Communication expresses regard for the independence of DPAs and refers to the Article 29 Working Party opinions and statements on these issues, so it is important for affected companies to consider DPA statements and to heed the Working Party’s announcement that it may bring coordinated enforcement action by the end of January 2016 if a negotiated solution is not achieved by then.