With two weeks remaining until EU data protection authorities (DPAs) begin enforcing the Court of Justice of the European Union’s decision striking down the Safe Harbor adequacy decision, many organizations are uncertain about their ability to continue transferring the personal data of EU citizens across borders. This week, we asked Natascha Gerlach, a Senior Attorney in Cleary Gottlieb’s Brussels office, for her perspective.
The Chronicle (TC): What is the likelihood that we will see a new agreement before the deadline?
Natascha Gerlach (NG): It is possible. Negotiations have been ongoing at full speed, EU Justice Commissioner Vera Jourová was very optimistic last fall, and I understand that last week new proposals were exchanged. Given the time remaining and the seriousness of the subject matter, I am hopeful but perhaps a little skeptical at present. One major sticking point remains: how EU citizens can enforce their rights in the event of a violation in the United States, and the Judicial Redress Act that would address some of these concerns is currently before the Committee on the Judiciary.
EU President Juncker, together with the heads of government of the member states, issued a letter to President Obama this month to stress again the importance of not only a renewed Safe Harbor agreement but also a framework for transatlantic data flows in general, and to request President Obama’s engagement in the matter. To me, this demonstrates how serious the matter is taken on both sides and perhaps also that some more “pushing” is still needed.
TC: Can companies rely on the alternate means of transfer provided for in the EU’s Data Protection Directive?
NG: For now, yes. A Statement from the Article 29 Working Party, which was essentially echoed by the Commission, clarified that EU data protection rules still permit alternative transfer mechanisms, such as binding corporate rules (BCRs) and standard contractual clauses. Only the court can invalidate these mechanisms, not individual Data Protection Authorities (DPAs). However, DPAs can of course investigate individual cases and potentially refuse—and some have already—to approve new transfers.
Companies should also consider whether any other legal basis set forth in their member state data protection laws applies to their transfers. For example, could consent be a valid alternative? These are limited options, and it remains clear that for many businesses, Safe Harbor was the most viable option.
TC: What are some steps organizations should take to minimize the risk of transfers from the EU?
NG: Companies should study their data transfers from the EU and seek to limit them to the extent possible. Some ways businesses can minimize risk are to review data in place in the EU, to study how it flows, and to consider whether alternatives to the current setup exist. Data minimization is a key concept in data protection. Anonymization can also be explored.
In addition, and what makes this difficult, is that as data controllers, businesses must ensure that any third-party subcontractor involved in the processing of their data also complies with the EU’s data protection standards. Third-party relationships have become more complex with the advent of cloud-based service providers, and organizations need to determine not only how their data is transferred but also where it is stored and how it is accessed.
Finally, companies should ensure they have updated their data protection policies and train their staff and third parties on these policies to improve compliance.
TC: In the absence of a new Safe Harbor Framework, where should companies look for guidance?
NG: The European DPAs are scheduled to meet in Brussels on February 2 to agree on a way forward, and I hope to see some practical guidance to come from that meeting.
In December, the new General Data Protection Regulation (GDPR) was informally agreed, which will likely go into effect in 2018 after it clears the remaining hurdles. DPAs may begin interpreting existing laws based on the GDPR. U.S. organizations should also have the GDPR’s text handy as they plan how to handle data transfers in February and beyond.
Overall, the GDPR creates a more unified approach to data protection in the EU, as the regulation will have a direct effect in all member states. BCRs are expressly written into the regulation, and standard contractual clauses and the derogations of Article 26 of the Directive remain in place, so additional guidance on how to move forward from the DPAs is certainly needed.
Stay tuned to The Chronicle for updates as the situation continues to unfold.