Saturday, November 7, 2015

Safe Harbor: European Commission issues guidance to clarify the EU-US data transfer conundrum



• Binding Corporate Rules ("BCRs") can allow personal data to move among the entities of a corporate group worldwide. BCRs are not only binding on members of the corporate group but are also enforceable in the EU.

• Derogations (which include performance of a contract, public interest grounds, free and informed consent of the individual etc.) may apply but the Article 29 Working Party (the European Commission's advisors on data protection matters) considers that due to their exceptional nature, the derogations should be strictly interpreted.

Role of national Data Protection Authorities ("DPAs")

In its guidance, the Commission also recalls the following two points: (1) transfers to a third country can be lawfully made only if the data have originally been collected and further processed by a data controller established in the EU; and, (2) where the Commission does not find adequacy, controllers are responsible for making sure that transfers take place with sufficient safeguards. Compliance with these requirements is ultimately assessed by national DPAs.

This means that DPAs have a central role to play as they are the main enforcers of the fundamental rights of data subjects and responsible for supervising data transfers from the EU to third countries, in full independence. The Commission invites data controllers to cooperate with the DPAs, thereby helping them to effectively carry out their supervisory role.

The Commission's guidance aims to clarify under which conditions transfers of EU personal data to the US can continue but is without prejudice to the powers of the DPAs to examine the lawfulness of transatlantic transfers. The guidance does not lay down binding rules and respects the powers of national courts to interpret the applicable law. Nor does the document form the basis for any individual or collective legal entitlement of claim.

Although the scope of the Schrems Judgment is limited to the Commission's Safe Harbor Decision, each other adequacy decision includes a limitation on the powers of DPAs (Article 3 of the Safe Harbor framework allows national supervisory authorities to take action to ensure compliance (eg suspend data flows to a self-certified organisation) but only under restrictive conditions). There is a high threshold for intervention which the CJEU considers invalid. The Commission will now prepare a decision replacing that provision in all existing adequacy provisions.

For further information please email dataprivacy@dlapiper.com.

No comments:

Post a Comment