On 6 November 2015, the EU Commission issued a communication addressed to the EU Parliament and EU Council with the aim of providing an overview of alternative tools for transatlantic data transfers and to further explain the consequences of the Schrems judgment of the Court of Justice of the European Union ("CJEU") of 6 October 2015 (C‑362/14).
The guidance begins by acknowledging the growing industry concerns about data transfers in light of the Schrems judgment and an inherent need to clarify when transfers may continue. Therefore, the Commission outlines the alternative bases for transferring personal data to the United States.
Particularly, transfers may occur when a controller adduces appropriate safeguards through Standard Contractual Clauses ("SCCs"), Binding Corporate Rules ("BCRs"), or through one of the derogations expressly listed within Directive 95/46/EC (the "EU Data Protection Directive"). The Commission discusses these transfer solutions in light of relevant Article 29 Working Party recommendations.
The Commission has approved four sets of SCCs that are considered fulfilling the requirements of the EU Data Protection Directive, two for transfers between controllers and two for controller to processor transfers (with only one of these last two sets remaining available for new contracts). The SCCs lay down respective obligations of data importers and exporters including (i) security measures, (ii) information to be provided to the data subject in case of transfer of sensitive data, notification to data exporter of access requests by the third countries' law enforcement authorities or of accidental or unauthorised access, and (iii) third party beneficiary rights.
The SCCs are Commission decisions, which are binding on Member States. Therefore, utilizing SCCs in a contract means that Data Protection Authorities ("DPAs") are, in principle, under an obligation to accept those clauses and cannot refuse the transfer of data on the sole basis that the SCCs would per se not offer sufficient safeguards. There is no requirement for prior DPA approval; however, some Member States have a notification or pre-authorization requirement, which verifies that no changes from the SCCs have been made. If there are no amendments the authorization is in principle automatically granted.
DPAs may still examine the SCCs and particular transfers made under these in light of the Schrems ruling. In this case, the Commission recommends that DPAs, if in doubt, bring the case before a national court, which in turn could make a request for a preliminary ruling to the CJEU. Companies may still utilize ad hoc contractual arrangement to demonstrate that the transfers take place with sufficient safeguards in line with the EU Data Protection Directive. However, these arrangements would need to be approved on a case-by-case basis by DPAs.
BCRs can be utilized to transfer personal data from the EU within a multinational group through a single set of binding rules. The Commission references the Article 29 Working Party's working paper n° 153 which lays out substantive and procedural requirements for BCRs in line with the EU Data Protection Directive. These requirements also include third-party beneficiary rights and the designation of an entity within the EU that will accept liability for breaches by any member within the group. In addition, most Member States require pre-authorization before data transfers can take place on the basis of BCRs.
The Commission observes that while some DPAs (notably the German DPAs) have expressed doubts about the possibility to use transfer instruments such as SCCs and BCRs in transatlantic data flows, the Article 29 Working Party has announced that it will continue to examine the impact of the Schrems judgment on these existing transfer tools.
There are derogations from the general prohibition on the transfer of data outside of the EU to a country without an adequate level of protection. Therefore, the Commission describes what companies can do in the absence of adequacy decisions, SCCs, and BCRs.
Specifically, personal data can still be transferred to third countries outside of the EU to the extent that one of the listed derogations set out in the EU Data Protection Directive applies.
The derogations are:
1. Unambiguous consent by the data subject.
The Commission explains that prior consent must be obtained before the transfer takes place and that the process of obtaining consent should be achieved in line with Article 29 Working Party recommendations, which require consent to be unambiguous, freely given, specific, and informed. Because consent must be unambiguous, the Commission denotes that implied consent would likely not qualify as sufficient. Moreover, if consent is obtained online, the subject should be able to opt-in actively through unchecked tick boxes.
Lastly, data subjects should be informed that their data could be transferred outside the EU to countries not considered providing adequate levels of protection. Consent may be withdrawn at any time.
2. Transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken in response to the data subject's request.
The Article 29 Working Party considers that there should be a "close and substantial connection" and "direct and objective link" between the data subject and purposes of contract (the "Necessity Test").
The Commission provides the example of the transfer of personal data for the completion of a hotel reservation.
3. Transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and a third party.
The same Necessity Test is applicable. The Commission provides the example of a beneficiary of an international bank transfer.
4. Transfer is necessary or legally required on important public interest grounds or for the establishment, exercise or defense of legal claims.
The Commission provides the example of the transfer of information by a company to defend itself in court.
5. Transfer is necessary to protect vital interest of data subject.
6. Transfer is made from a register which according to laws or regulations is intended to provide public information and is open to consultation by the public or by any person who can demonstrate a legitimate interest to the extent that the conditions laid down in law for consultation are fulfilled in the particular case.
In each of these listed derogations, the data exporter does not have to ensure adequate protection and usually there is no need for prior authorization. However, the Commission references the Article 29 Working Party guidance that suggests repeated, mass, or structural transfers should be carried out with sufficient safeguards.
The Commission ends its guidance by discussing the consequences of the Schrems ruling on adequacy decisions issued by the Commission. It highlights that the CJEU does not question the Commission's power to provide adequacy decisions.
Therefore, if adopted, these decisions are binding on all Member States and DPAs. However, the DPAs remain competent to examine claims that data transfers do not comply with the EU Data Protection Directive, but DPAs cannot make a definitive finding of adequacy of a Commission decision. Furthermore, the Commission states that self-certification can still be sufficient if there are effective detection and supervision mechanisms that make it possible in practice to identify and sanction any infringements of data protection rules.
The Commission explains that it will now prepare a decision to be adopted in line with the Schrems judgment and will engage in the assessment of existing and future adequacy decisions, including periodic joint reviews of their functioning with competent authorities of the third country in question.
In its final remarks, the Commission stresses that a renewed and sound framework to transfer data to the United States is a key priority with the aim to conclude discussions and achieve the objectives of stronger monitoring and enforcement, customer transparency, easier redress possibilities, and clearer rules on onward transfers within the next three months.