As promised, the European Commission has issued guidance on the alternative tools available for EU-US data transfers following the Schrems’ ruling. The Commission highlighted that it has intensified talks with the US government on a new arrangement for transatlantic data transfers to ensure it complies with the standard set by the CJEU in Schrems.
The guidance set out the alternative bases for transatlantic data flows as:
- Standard Contractual Clauses (SCCs) – The Commission has issued two sets of standard contractual clauses for transfers from data controllers to data controllers established outside the EEA, and one set for transfers to data processors established outside the EEA. Each of these sets of model clauses lay down the respective obligations of data exporters and importers.The model clauses also require EU data subjects to have the possibility to invoke before a DPA and/or court of the Member State in which the data exporter is established the rights they derive from the contractual clauses as a third party beneficiary.
In principle, incorporating the SCCs in a contract (without amendment) means that national DPAs are under the obligation to accept those clauses. This is without prejudice to their power to examine these clauses in light of the requirements set out by the CJEU in Schrems. Most companies use SCCs to carry out their international data transfers.
- Binding Corporate Rules (BCRs) for intra-group transfers – A multinational company can adopt BCRs to transfer personal data from the EU to affiliates located outside the EU. BCRs need to be authorised by the DPA in each Member State from which the multinational company wishes to transfer data.
Like the SCCs, these rules are binding on the members of the corporate group and enforceable in the EU by the individuals whose data are being processed by an entity of the group. Such individuals are entitled as third party beneficiaries to enforce compliance with BCRs by lodging a complaint before a DPA and bringing an action before a Member State court. The BCRs must designate an entity within the EU which accepts liability for breaches of the rules by any member of the group outside the EU which is bound by these rules.
- One of the derogations expressly listed in Article 26(1) (a)-(f) of the Data Protection Directive 95/46/EC – Derogations listed include, for example, where the data subject has unambiguously consented to the proposed transfer or where the transfer is necessary for the performance of a contract between the data subject and the controller (e.g. a hotel reservation or bank transfer). The guidance notes that the Article 29 Working Party considers that these derogations should be strictly interpreted, and recommends that mass or repeated transfers of data should, where possible, be carried out within a specific legal framework such as SCCs or BCRs.
The guidance concludes that whilst alternative tools authorising data flows can be used by companies for lawful data transfers to third countries like the US, a renewed framework for transfers of personal data to the US remains a key priority. The objective of the Commission is to conclude the negotiations for a renewed framework within the next three months.
The guidance clarifies, once again, that data transfers between the EU and the US can no longer be carried out on the basis of the Safe Harbour Decision. It states that the alternative bases available for transfers of personal data to the US are without prejudice to the powers of the DPAs to examine the lawfulness of such transfers. In case of doubt the Data Protection Authorities (DPAs) should bring a case before a national court which in turn may make a request for a preliminary ruling to the CJEU. The Schrems’ ruling clarifies that the CJEU alone has jurisdiction to declare a European Commission adequacy decision to be invalid.
The guidance further highlights that although the scope of the Schrems decision is limited to the Safe Harbour decision, each of the other adequacy decisions, ( like Article 3 of the Safe Harbour decision), limits the powers of the DPAs, and needs to be amended to ensure that DPAs remain free to investigate complaints by individuals.