Last Friday, the Article-29 Data Protection Working Party (WP29) put pressure on the European Commission to reach the establishment of a new legal base for transferring data cross-border. Although the European Commission is already negotiating Safe Harbor 2.0, the working party stated that “if by the end of January 2016, no appropriate solution is found with the US authorities and depending on the assessment of the transfer tools by the Working Party, EU data protection authorities are committed to take all necessary and appropriate actions, which may include coordinated enforcement actions.”
It indicates hope for a fast solution to the current situation, where companies in Europe and the US have to deal with lots of uncertainty regarding legal ways of data transfers across countries.
Article 25 of Directive 95/46/EC is the legal base for these actions, passed by the European Commission in 1995. Paragraph 1 stipulates, that countries have to ensure “an adequate level of protection” when personal data is transferred across borders. Based on this directive, the European Commission signed Decision 2000/520/EC in the year 2000, better known under the name Safe Harbor. Since the agreement was declared invalid by the CJEU, certain alternatives have been suggested to allow for legalized data transfers. The two most important are “EU Model Clauses (Standard Contractual Clauses)” and “Binding Corporate Rules (BCR)”. Although some companies like Microsoft and Google have already relied on model clauses for various years, these two models for data transfer legalization attracted more attention since the CJEU decision on Safe Harbor.
Standard Contractual Clauses rely on paragraph 4 of Directive 95/46/EC. According to experts model clauses are fast and easy to establish and even more important: approved by the European Commission (2001/497/EC, 2004/915/EC and 2010/87/EU). In detail, Standard Contractual Clauses legalize data transfers by a controller of data within the EU to a controller or a processor of data outside of the EU.
Binding Corporate Rules are a second way of data transfer legalization, more specifically; they are a mechanism to legitimize data transfers within corporate groups like multinational companies. Experts agree that this method is very convenient as it allows more flexible arrangements between the different companies than model clauses can provide. However, they have to be approved by national regulators, which can take up to 18 months.
The Article-29 Data Protection Working Party has already declared, that “Standard Contractual Clauses and Binding Corporate Rules can still be used” until a final solution between European Commission and US authorities, namely Safe Harbor 2.0, has been reached. However, “this will not prevent data protection authorities to investigate particular cases, for instance on the basis of complaints, and to exercise their powers in order to protect individuals.” The current state of the Safe Harbor 2.0 negotiations is that both parties have already agreed on 11 of 13 recommendations of the European Commission. Two of them remain difficult issues because they address the access of US authorities to the transferred data.
Looking at Safe Harbor 2.0 it is important not to confuse it with the so-called Umbrella-Agreement. In September 2015, before the CJEU decision was made, the EU and US authorities finalized the agreement regulating data transfers across borders, but only for the purposes of terrorism prevention and prosecution of crime, after 5 years of negotiations. Therefore, the Umbrella-Agreement does not regulate the transfer of data for commercial purposes.
In conclusion, there is a light at the end of the tunnel. There will be a new agreement that follows the invalid Safe Harbor. Hopefully, this one will be in line with the CJEU. In the meantime, it seems that Standard Contractual Clauses and Binding Corporate Rules may be an interim solution.