On 23 January, the European Commission announced that it had adopted an adequacy decision in relation to Japan, to enter into force immediately. The mutual agreement, which covers Japan’s 127m citizens as well as the whole of the EU, allows personal data to be transferred between Japan and the EU without the need for additional safeguards such as Standard Contractual Clauses, and creates the largest area of safe data transfers in the world.
Following the announcement by the European Commission of the newly agreed EU-US Privacy Shield, the missing piece of the jigsaw was the Article 29 Working Party’s stance on the adequacy of the existing mechanisms in place—in particular, standard contractual clauses and binding corporate rules. So after two days of intense discussions, the Working Party has issued a statement with its latest position, which is the follow up to their original reaction to the invalidation of Safe Harbor last October. The bottom line: the Working Party still does not view US government surveillance laws as sufficiently protective of privacy—a position which calls all transfers of personal data to the US in question, regardless of the methods used to legitimise the transfer—but they will reconsider this position in light of the Privacy Shield in the coming months.
The roller coaster of developments affecting the Safe Harbor framework shows no signs of slowing down. It has taken a couple of years since Edward Snowden’s revelations for the train to reach to its highest point, but once the European Court of Justice ruled on the Schrems case, we knew it would be a bumpy ride. In the past weeks, most of the attention has focused on the EU data protection authorities, which are now more emboldened than ever and keen to capitalize on the ECJ’s decision to tighten the regime affecting international dataflows. The European Commission’s communication of 6 November to the European Parliament and the Council of the EU, coupled with its practical guidance, represents yet another turn in this uncertain journey. At the same time, the Commission’s intervention is helpful in terms of the decision-making process that many organisations—for which transatlantic transfers are vital—are trying to grapple with.
On November 6, 2015, the European Commission issued its widely anticipated Communication to the European Parliament and Council about the effect of the Court of Justice of the European Union’s Schrems decision, which invalidated the U.S.-EU Safe Harbor framework. The Commission expresses a commitment to negotiate with the U.S. Government a new framework for cross-border transfers of personal data. The Commission also emphasizes that the Communication does not have binding legal effect, but concludes that companies should rely on “alternative tools” for authorizing data flows to third countries like the United States.
Spain is well known for having one of the most restrictive data protection regimes in the European Union. It also counts with some of the highest penalties (fines are up to € 600,000 per infringement), and a data protection authority – the Spanish Data Protection Agency – with a reputation for being one of the fiercest of the EU. Moreover, the penalties envisaged are not only on paper; they are applied on a regular basis by the AEPD. For instance, in the past few years, it has imposed fines of € 450,000, € 900,000 and € 1,400,000.
Whilst the reform of the EU data protection framework continues its tortuous course in Brussels’ corridors of power, privacy pros in the real world are doing their best to cope with the current uncertainty. One of the ever-present sources of concern for those with data-related operations in Europe is how to overcome the restrictions affecting international data transfers in a cost-effective, sustainable and effective manner. In reality, there are many paths to follow, but choosing the right one is not always obvious—each case is different, and limited resources and time constraints often add an unwelcome degree of stress and complexity to the process.
On February 5th, the European Commission decided to modify the standard contractual clauses for transfers of personal data, repealing the original decision (Decision 2002/87/EU) that introduced these clauses back in 2002. The European Commission considered it necessary to adjust the existing standard contractual clauses to meet the growing challenges of global outsourcing.
As a reader of the Hogan & Hartson Chronicle of Data Protection, you are invited to have complimentary access to an on demand webinar. Lawyers from Hogan & Hartson offices in London, Paris, Brussels, Berlin and Washington recently presented the webinar in partnership with the Association of Corporate Counsel for Europe, entitled “Navigating the Privacy Challenges: Crossing the Line in Cross-Border Data Transfers”. A link to the on demand version of the webinar with the accompanying Powerpoint presentation is available through this blog entry.