Reflections on the transfer of personal data to American providers after the “Safe Harbor” decision
The decision of the European Court of Justice (CJEU) dated October 6, 2015[1] invalidated the “Safe Harbor” framework which authorized, since 2000[2], the transfer of personal data from within the European Union to companies with “Safe Harbor” certifications located in the United States.
For memory, the United States does not provide for an adequate level of protection and consequently the transfer of personal data to companies located in said country is generally prohibited[3]. However, by way of exception, prior to such decision, European companies could transfer personal data to American providers/data processors only if the latter i) self-certified that they will commit to implement processes ensuring an adequate level of protection or ii) entered into agreements with the European data controller, including “model contract clauses” issued by the European Commission[4].
In its decision dated October 6, 2015, the CJEU underlined that the “Safe Harbor” certification no longer provided a sufficient level of privacy protection, in view of the disclosures of mass surveillance programs of the NSA by Edward Snowden in 2013. The decision being effective immediately, any and all transfer of personal data made on the basis of said certification are consequently illegal and should in theory be terminated or otherwise modified to conform to the decision.
Following this decision, the French Data Protection Authority (CNIL) and its European counterparts (Article 29 Working Party) met on October 15 to prepare a common action plan to permit the creation of a new legal framework. Accordingly, the Article 29 Working Party called on the European institutions and governments to implement a new legal framework enabling the transfer of data between Europe and the United States, before January 31, 2016. Such solutions could be sought during intergovernmental agreement negotiations and the implementation of a new “Safe Harbor” framework could be considered.
The Working Party continues its analysis of the consequences of the CJEU decision on the other means available to transfer data to the United States, particularly regarding the aforementioned “model contract clauses”. The Working Party indicated that, pending the implementation of the new regulations, European companies are still permitted to employ these “model contract clauses” for the transfer of personal data to the United States.
However, the personal data of European companies or individuals which have been transferred to American providers using these “model contract clauses” may still be subject to the intrusion of the NSA to the same extent as when the “Safe Harbor” framework was employed. A court decision or a CNIL recommendation could also invalidate the use of such clauses[5].
Pending the signature of a new intergovernmental agreement or the implementation of new transfer means, what strategy should the companies adopt today?
Given the current context, European companies wishing to transfer their data to the United States should act with caution and accordingly should implement legal and technical solutions to limit the potential risk taken when transferring their personal data. The foregoing essentially involves setting up restrictive contractual clauses with the providers receiving said data in the United States.
Such clauses should notably include:
- at a minimum, all of the obligations provided in the “model contract clauses”;
- the following additional obligations for American providers operating a Cloud Computing service:
- information regarding data processing (compliance with the French Data Protection Act[6], definition of the processing methods in place, obtaining client’s consent should the data processing be entrusted to another data processor, limitation of the data retention period and ensuring that said obligations are included in subcontracting contracts);
- the implementation of a complaints system and measures to avoid security flaws;
- the possibility for the client to audit the provider;
- the destruction of data and its restitution at the end of the services provided or in case of early termination of the contract, in a format chosen by the client;
- the detailed specification of the provider’s obligations regarding data security (including physical and technical security measures, traceability, continuity of services, level of service, backup) and specification that the latter can only act on instructions from the client;
- the cooperation of the service provider with the relevant data protection authorities and obligation to provide the client with any and all useful information in order to make the statement concerning data processing to said authorities;
- the clear and exhaustive indication of the countries hosting the data and guarantee of an adequate protection in said countries.
iii) finally and most importantly, to prevent any potential changes of position by the CNIL, the following specific obligations to ensure the legality of the transfer under any circumstances:
- the obligation to take all necessary technical and legal measures in order to comply with the developments of the French Data Protection Act and with the CNIL recommendations;
- in the event of the inability or impossibility to comply with the developments of the French Data Protection Act, the inclusion of an automatic termination clause with the obligation to restitute such data in addition to the removal of such data without additional charge for the client.
Up until now, the recourse to “Safe Harbor” data processors was principally insured by signing standard terms and conditions or boilerplate agreements which European clients were unable to negotiate. The situation of the formerly “Safe Harbor” American providers is unclear and will necessarily force said providers to amend their contracts in order to adapt them to the requirements of their European clients. The decision of the CJEU may have the merit of rebalancing the forces in play between the European data controllers and the American service providers.
[1] CJEU decision dated October 6, 2015, Case C-362-14 Maximillian Schrems v. Data Protection Commissionner
[2] Commission decision dated July 26, 2000
[3] Indeed, under directive 95/46, the transfer of personal data to countries outside the European Union which do not provide an adequate level of protection should be prohibited.
[4] It should be noted that another contractual means to transfer data was provided for companies that are part of a same group (« Binding Corporate Rules »)
[5] In this respect, it should be specified that a German data protection authority expressed its wish to also invalidate the model contract clauses and to authorize data transfer to the United States only subject to changes in its legislations
[6] Act n°78-17 dated January 6, 1978[:]