Big changes ahead? Nope, still business as usual – for now
Despite initial alarm, it is indeed business as usual for the big players. Timmermans was quick to point out that the “alternative mechanisms” available to companies wanting to transfer data to the US, specifically so-called “model clauses” and binding corporate rules (BCRs). “We will come up with guidance for DPAs. This should help avoiding a patchwork between different DPAs which are responsible,” said the Commish veep.
The social network at the centre of the case will be okay, but still wants more assurances. “Facebook, like many thousands of European companies, relies on a number of the methods prescribed by EU law to legally transfer data to the US from Europe, aside from safe harbor. It is imperative that EU and US governments ensure that they continue to provide reliable methods for lawful data transfers and resolve any issues relating to national security,” said a Facebook spokesman.
Ilias Chantzos, Symantec’s European director of government affairs was not convinced: “Symantec believes that the recent ruling will create considerable disruption and uncertainty for those companies that have relied solely on safe harbor as a means of transferring data to the United States.”
The question that was not answered by the commission is, why other mechanisms that facilitate data transfers to the US, such as model clauses and BCRs, wouldn’t fall foul of the same judgement from the ECJ. What is true of safe harbour – that US security agencies ignore it – is also true of these other mechanisms that the commission is now pushing as a panacea.
The only real difference is that if another “Max Schrems” complains that his data is being mishandled under contracts or BCRs, European DPAs would have an obligation to investigate. This may provide some legal certainty for businesses, but wouldn’t necessarily guarantee that EU citizens' personal data is any safer in the first place.
“On the basis of this ruling, we urge European legislators to explore better ways to protect the privacy rights of their citizens when personal data is being transferred globally. The decision to allow the transfer of data outside the EU cannot be left to the discretion of the commission alone. The Parliament and EU data protection authorities have to be involved,” said Estelle Massé, policy analyst at digital human rights campaign group Access.
Jorg Hladjk, counsel at law firm Hunton & Williams, said that “companies should assess alternative data transfer mechanisms to see which solution fits them best. However, there is a question whether the issue will not be the same for these other transfer mechanisms when the US is considered not to be adequate.”
“The upcoming guidance by the national data protection authorities will be crucial to provide more legal certainty for companies in the interim. Only if the national data protection authorities stay coordinated on how to exercise their powers and assess data transfers going forward, a patchwork of approaches across the EU can be avoided,” he continued.
Schrems, meanwhile, was pleased that US companies which “obviously aided US mass surveillance (e.g. Apple, Google, Facebook, Microsoft and Yahoo!) may face serious legal consequences from this ruling when data protection authorities of 28 member states review their cooperation with US spy agencies. The judgement makes it clear, that now national data protection authorities can review data transfers to the US in each individual case – while ‘safe harbor’ allowed for a blanket allowance.”
Still mumbling, still stumbling
Many of those involved , including US Secretary of Commerce Penny Pritzker are pinning their hopes on a re-negotiated safe harbour deal. “The court’s decision necessitates release of the updated Safe Harbor Framework as soon as possible,” she said in a statement.
“We are prepared to work with the European Commission to address uncertainty created by the court decision so that the thousands of US and EU businesses that have complied in good faith with the safe harbour can continue to grow the world's digital economy,” she added.
However, talks for a new deal have been going on for two years without a breakthrough. Sources in Brussels say that the national security exemption has been the big stumbling block – spies wanna spy – but that the court ruling may give the EU's negotiators some added ammunition.
In the meantime, a first round of discussions between experts has been organised this week in Brussels. The EU Commission has promised to work with the A29WP to come up with guidelines and recommendations for businesses and data protection authorities. They will be hoping another enterprising young law student doesn’t blow a hole in those plans and decide to test the validity of the backup instruments. ®