In the aftermath of the Court of Justice of the European Union’s (“CJEU”) judgment invalidating Safe Harbor, on 16 December 2016 the European Commission published two decisions, changing its previous decisions on standard contractual clauses (“SCC”) and adequacy decisions on third countries. Arguably, the amendments have been made in order to minimise the risk of the earlier decisions being invalidated by the Court of Justice of the European Union (CJEU) in the same way that Safe Harbor was invalidated back in 2015.
In its judgment in Schrems in October 2015, the CJEU ruled that national data protection authorities (“DPAs”) in Europe must retain the power to ensure that personal data is protected in accordance with the Data Protection Directive and the EU Charter of Fundamental Human Rights, and that this power cannot be restricted by a decision of the Commission.
Limitations to the powers of DPAs, similar to those that applied to Safe Harbor, exist both in the 10 adequacy decisions (other than for the Privacy Shield) and in the decisions adopting the SCCs.
After the CJEU invalidated Safe Harbor in 2015, many organisations, including high profile global brands and platforms, switched to SCCs as the new basis for the transfer of EU user data to the US. However, the SCCs themselves are now subject to a validity challenge similar to that previously launched against Safe Harbor. The issue of transfers based on SCCs has been referred by the Irish DPA to the Irish High Court and could ultimately be referred to the CJEU. In light of this, the European Commission has decided to hurriedly change its decisions on SCCs as well as the adequacy decisions, arguably to prevent any risk of invalidation by the CJEU.
Changes to the decisions adopting standard contractual clauses (SCC)
In its Implementing Decision (EU) 2016/2297, the Commission has modified the decision in respect of controller to processor SCCs (2010/87/EC) as well as the decision on controller to controller SCCs (2001/497/EC modified by 2004/915/EC ).
The purpose of the modification is to remove any illicit restriction on the DPA’s powers “to oversee data flows, including the power to suspend or ban a transfer of personal data when it determines that the transfer is carried out in violation of EU or national data protection law”.
The text of the SCCs themselves remains unchanged.
Changes to adequacy decisions
In its Implementing Decision (EU) 2016/2295, the Commission has modified each of the adequacy decisions for Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay.
The purpose is to remove any illicit restriction on the DPA’s powers that would prevent it from “examining the claim of an individual concerning the level of protection of personal data ensured in a third country subject to a Commission adequacy decision and, where it considers it well founded, to engage in legal proceedings before the national courts, in order for them, if they share the doubts as to the validity of the Commission decision, to make a reference for a preliminary ruling [by the CJEU] for the purpose of examination of the decision’s validity”.
The nature of adequacy decisions is that DPAs “cannot adopt measures contrary to a Commission adequacy decision, such as acts declaring that decision invalid or which are intended to determine with binding effect that the third country covered by it does not ensure an adequate level of protection”.
Like the provisions in the GDPR, the revised decisions also include an obligation on the Commission to monitor developments in any third country’s “legal order that could affect the functioning of the adequacy decision, including developments concerning access to personal data by public authorities”. Depending on the particular facts of each case, it may be necessary to have discussions with the local DPA in order to prepare draft measures “repealing or suspending the decision or limiting its scope”. Member States and the Commission shall inform each other of situations such as failure by the local authority to secure compliance, excessive interference by authorities or lack of any effective legal protection against interference.
Are these decisions now safe for the future?
As regards the adequacy decision for third countries, Working Party 29 (“WP29”) was consulted on these revisions (opinion 04/2016 WP 241) and found that the Commission has not carried out “an in-depth assessment “ on “whether the public authorities in these third counties responsible for national security, law enforcement or other public interests do not interfere [with privacy and data protection rights,] beyond what is strictly necessary and that there is effective legal protection against such interference”. This issue was the second ground relied upon for the invalidation of Safe Harbor by the CJEU.
WP29 also regrets that the revisions did not cover those modifications that are necessary in light of the forthcoming GDPR (which becomes enforceable in May 2018).
It appears, therefore, that the work on these transfer tools is not complete. Moreover, following the reinforced power of DPAs and the fragility of adequacy decisions (including the Privacy Shield), it is more important than ever to take a precautionary approach to international transfers of data.