Many companies have not yet given sufficient thought to transferring personal data to countries outside of the EER, even though unlawful transfers can result in fines from EUR 120,000 to EUR 500,000. If a company processes data or has processed data outside the EER, for example by storing personal data on a server in the US, the company should ensure this is legally covered.
Regulations on transferring personal data to countries outside of Europe have changed considerably in 2016. Please find the most important changes below.
Data flow outside of Europe
Until the General Data Protection Regulation (the “Privacy Regulation“) starts applying in May 2018, processing personal data is regulated by the Privacy Directive (also known as the Data Protection Directive). The Privacy Directive prohibits countries within the EER to exchange data with countries outside the EER, unless an appropriate level of protection can be guaranteed. The European Commission can determine if the level of protection provided by a certain country meets requirements, by means of a so-called ‘adequacy-decision’.
Safe Harbour (or, in US English: Safe Harbor)
To facilitate the exchange of personal data between Europe and the United States, seven principles to guarantee an appropriate level of protection were developed between 1995 and 2000. The adequacy decision of the European Committee on 26 July 2000, in which it was decided these principles provide a suitable level of protection in accordance with the data protection directive, is publicly known as the
Safe Harbour: no longer safe
Because of a complaint from Austrian activist Max Schrems, Safe Harbour came under attack. Schrems objected to the transfer of his personal data to the American servers of Facebook. Because of this complaint, the Irish Court of Justice asked the European Court of Justice preliminary questions on Safe Harbour. On 6 October 2015, the European Court of Justice ruled the
- The Safe Harbour decision did not obligate every company to comply with the Safe Harbour principles;
- The Safe Harbour decision did not obligate the U.S. federal government to adhere to the Safe Harbour principles – and explicitly allows infringement of protected personal data in the interest of the country;
- The Safe Harbour decision allowed for U.S. investigation offices to collect data in bulk.
The ECJ ruled the level of protection provided by Safe Harbour insufficient.
New agreement: the EU – U.S. Privacy Shield
The nullification of Safe Harbour intensified the negotiations between the European Committee and the U.S. on a new legal framework to allow for the continuation of transferring data. On 2 February 2016, the parties
Criticising the Privacy Shield
On 12 February 2016, the European Supervisor for data protection delivered a preliminary advice on the Privacy Shield. On 13 April 2016, the so-called Article 29 Working Party (made up out of representatives from data protection authorities of each designated Member State) (“
- Even though limited retention is a fundamental principle of European legislation on this topic, the current text does not obligate companies to delete data once it has become obsolete;
- The U.S. is still allowed to collect data in bulk if it is deemed necessary to safeguard national security, meaning there is effectively no limit to this usage;
- Although appointing an Ombudsperson is noble, the text does not guarantee that the Ombudsperson will be provided with adequate powers to effectively exercise its duty.
On 30 May 2016, this opinion was followed by a statement from the European Supervisor who was also critical of the Privacy Shield. The Supervisor even pointed out that in its current form, the Privacy Shield might not pass an assessment by the European Court of Justice. To reiterate its view as expressed in the opinion of 13 April 2016, WP29 issued a
Privacy Shield adopted
On 8 July 2016, the Member States of the European Union adopted the Privacy Shield, followed by an adequacy decision published by the European Committee on 12 July 2016. This way, the European Committee demonstrated that the Privacy Shield offers appropriate protection in the sense of the Privacy directive, and that if the company involved is aligned with the Privacy Shield, transfer of data is allowed. On 26 July 2016, WP29 published a statement regarding the adequacy decision and the respective meeting on 25 July 2016. The
Privacy Shield under fire
On 12 July 2016, directly after disclosing the adequacy decision, the Privacy Shield came into force. As of 1 August 2016, companies can apply for certification. Over 500 corporates have signed up to the Privacy Shield already, amongst them Facebook, Google and Microsoft. However,
Privacy Shield: the impact on companies
As long as the companies involved are signed up to the Privacy Shield, the transfer of data to the U.S. remains possible because of the Privacy Shield. If your company used to transfer data to an American company under Safe Harbour, it is of importance to verify if the companies involved have now signed up to the Privacy Shield, or intent to do so. If your company transfers data without legal basis, the Data Protection Authority may, as explained, impose a fine.
Alternatives Privacy Shield
Applying to the Privacy Shield is not the only option to lawfully transfer data to the U.S. Companies may also choose to use standard contractual clauses issued by the European Committee, or – if it concerns an international group – implement a set of so-called ‘binding corporate rules’ companywide. It is also possible to apply for a permit for data transfer to countries outside the EER with the Data Protection Authority.
- Standard contractual clauses
Currently, these standard contractual clauses are under pressure: on
- Binding corporate rules (BCR)
Personal data transfer to a country outside the EER is also permitted on the basis of approved standard contractual clauses from the European Committee. These standard contractual clauses are deemed to offer an appropriate level of protection of personal data. The European Committee has approved three sets of standard contractual clauses to date: two for controllers outside the EER (one of which is general, and one specifically for corporates), and a set of standard contractual clauses for data processors. Only if adhered to completely and without any amendments, the standard contractual clauses are deemed to offer the appropriate level of protection. Any addition or alteration to the standard contractual clauses has to be submitted for approval.
On the basis of Dutch law, six exceptions may apply in which data may be transferred outside of the EER without using standard contractual clauses, a permit or BCR. These exceptions are the following:
- Unambiguous consent: the data subject has given his unambiguous consent to the specific processing of his or her data.
- Execution agreement: it is necessary to transfer data in order to execute an agreement with the data subject (for example: international payment);
- In the interest of data subject: it is in the interest of the data subject to execute an agreement with a third party, to which extent the data subject’s personal data should be provided. On the basis of Dutch law, six exceptions apply where data may be transferred to a country outside the EER without standard contractual clauses, permit or BCR.
- Substantial public interest: transfer of certain personal data is necessary because of substantial public interest.
- Vital interest data subject: For example, because of an accident abroad, the data subject has a vital interest in the transfer of personal data. Please note that unambiguous consent is preferred in these instances.
- Public registers: some information is publicly available and accessible through legally deployed registers like the Cadaster or register of commerce. This information may be passed on
The uncertainty of the Privacy Shield’s future could mean that for your company, one of the before mentioned alternatives constitutes a better way to legally transfer data.