Safe Harbor fallout: where are we now?

As we all know, the EU decided to invalidate Safe Harbor on 6 October 2015.  Please see our Insight article and blog post for a quick recap.  But what has happened since?

Article 29 WP Guidance

The most significant guidance is from the A29 WP.  The key points were:

  • International data transfers from Europe based on Safe Harbor are now unlawful;
  • Model Clauses (also known as Standard Contractual Clauses) and Binding Corporate Rules (BCRs) can still be used.  However they are under review and do not prevent individual DPAs from investigating particular cases;
  • By the end of January 2016, if no appropriate solution with the US authorities is found, EU DPAs will take “appropriate actions” (= enforcement?)
  • For more information on the Working Party statement, please see our blog post.

What do DPAs say?

Most EU DPAs have now issued statements on Safe Harbor.  Many welcomed the decision!

The UK approach is “don’t panic”.  The ICO has said that there are alternative mechanisms to Safe Harbor and recommends model clauses.

The French DPA (the CNIL) calls on companies to implement model clauses to transfer data to the US but doesn’t reference other transfer mechanisms such as BCRs or the derogations (e.g. consent).  The CNIL also re-affirms the Working Party position on possible enforcement in due course.

The most extreme position comes from the German DPA for the Schleswig-Holstein.  It disagreed with the Working Party opinion and said that neither model clauses nor consent provide a legal basis for data transfers.  However, the joint position paper of the German Federal State DPAs simply said that German DPAs will not issue “new approvals” on the basis of BCRs or data export agreements.  This is certainly “drawing a new line in the sand”.  In addition, this has slowed down German approvals of BCRs and any approvals of transfer agreements (where approval is required).  However, provided you use the standard Model Clauses, no approval is required in Germany.

What are companies doing in practice?

Companies are seeking to address the issue proactively.  Some are conducting assessments to identify what data is being transferred internationally.  Others are incorporating this within global privacy audits and programmes.  As a minimum, companies are implementing model clauses both intra-group and with vendors.  There is usually a need to prioritise the larger transfers of more sensitive information and the bigger vendor offerings to get the job done.  As we know, many vendors are offering pre-signed Model Clauses.  These need careful review.  Some strike a fair balance between strict legal requirements and a pragmatic approach but some go further.

What’s next?

We are told that the new Safe Harbor deal is imminent. But we are living in a time of uncertainty.  So risk-based decisions are required.

As you’ll have seen, the final GDPR text was released this week too!

A little more holiday reading….