The EU Parliament committee that is charged with considering data protection matters (LIBE) has issued a press release calling on the European Commission to take action before the end of 2015 to come up with alternatives to Safe Harbor. Importantly, LIBE has also called on the Commission to reassess whether the European Court of Justice’s recent invalidation of Safe Harbor casts doubt on other means for legitimizing the transfer of personal data from the EEA to the US.
As I’ve commented previously, the ECJ’s rationale in the Schrems Safe Harbor decision could be used to attack both BCRs and Model Clauses. LIBE certainly seems to have picked up on that also.
Furthermore, while many companies are now focusing on getting the data subject’s consent to data transfers (one of the available “derogations” from the ban on ex-EEA data transfers), some EU legal commentators think that courts will take an extremely narrow view of the validity of consents that are built into privacy policies or terms of use (or possibly even any consent in any form) when the personal data is being transferred to the US. Many Europeans seem to be persuaded that the NSA has unbounded authority (and capacity) to requisition European personal data, and that any transfer of personal data to the US is inherently offensive to the “fundamental freedoms ” of the individual (which includes the right of privacy) and should not be permitted under virtually any circumstance. (For a different view, see Peter Swire’s article on US intelligence laws and practices based on his participation in President Obama’s independent Review Group on Intelligence and Communications Technology.) Unfortunately, given the prevalence of the view in Europe that individuals’ privacy rights are not adequately protected against the indiscriminate mass surveillance by the US, there is a real possibility that, in Europe, the individual’s current right to make a decision about allowing his or her personal data to be transferred to the US might be lost through legislation (in particular, the new Regulation) or the courts.
Here’s an excerpt from LIBE’s press release:
MEPs welcome the 6 October ruling by the European Court of Justice (ECJ) in the Schrems case, invalidating the Commission’s decision that Safe Harbour provides sufficient protection for the data of EU citizens when it is transferred to the US, thus vindicating Parliament’s long-standing concerns about the agreement. The Commission must immediately take the necessary measures “to ensure an effective level of protection” equivalent to the protection ensured in the EU, they say.
They protest that Parliament has received no formal feedback from the Commission regarding the implementation of the 13 recommendations for a “safer” Safe Harbour, and stress that “it is now urgent that the Commission provide a thorough update on the negotiations thus far and the impact of the judgement on the further negotiations.”
They also invite the Commission to reflect “immediately” on alternatives to Safe Harbour and on the “impact of the judgement” on any other instruments used for the transfer of personal data to the US and report on it by the end of 2015.
The full press release is available here.
As always, we need to try to chart a course of action to comply as best as possible with what seems to be an increasingly unstable legal landscape in Europe. So I will conclude by saying that model clauses, BCRs and consent are still available means of legitimizing data transfers from the EEA to the US. For now, and until we get decisions to the contrary by national or regional Data Protection Authorities, courts, the ECJ or the Commission – or until these means are eliminated or restricted by the new Data Protection Regulation, which is still under negotiation.
On a personal note, as someone who lives in the United Kingdom, I will say that if the new Regulation, a DPA or a court says that I will no longer have the right to consent to the transfer of my personal data to the US because I couldn’t possibly appreciate the grave threat to my privacy rights and shouldn’t be allowed to “bargain away” a fundamental right, and I lose access to Facebook or Google as a result, I will be mightily displeased. And it’s possible that I won’t be the only EEA resident who feels that way.
Disclaimer: The views expressed above are my own and should not be attributed to Mintz Levin.