One month after the landmark decision in Schrems vs. Data Protection Commissioner (C-365/14), the European Commission (Commission) has issued guidelines, in the form of a Communication, regarding the transfer of personal data from the EU to the U.S. As we discussed in an earlier post, the Schrems decision invalidated the Safe Harbor program, which was the easiest method for U.S. companies to comply with EU data protection laws.
The Communication released by the Commission offers alternative methods for compliance with EU data protection laws, while also highlighting the efforts the Commission is taking to develop a renewed and sound framework for personal data transfer to the U.S.
The Commission identifies three alternative methods for transferring personal data to the U.S.:
- Standard Contractual Clauses (SCCs) – The Commission has approved four sets of SCCs, which include rights and obligations regarding personal data transfers. Because these SCCs, in principle, require national authorities to accept these clauses, the national authorities cannot refuse the transfer of personal data on the sole basis that these SCCs do not offer adequate safeguards. This is without prejudice to their power to examine these clauses in light of the Schrems decision.
- Binding Corporate Rules (BCRs) – BCRs allow personal data to be transferred freely among the various entities of a corporate group. BCRs are binding on members of a corporate group, are enforceable in the EU, and require a designated entity within the EU to accept liability for breaches of the rules by any member of the group outside the EU which is bound by the BCRs.
- Derogations – Derogations allow personal data to be transferred outside the EU when, among other reasons, the transfer is necessary for the performance of a contract, the transfer is necessary or legally required for the establishment, exercise, or defense of a legal claim, or unambiguous consent is given by the data subject prior to the proposed transfer. The Article 29 Working Party, which advises the Commission, states that these derogations are to be strictly interpreted.
After identifying which alternative method is best, companies must be aware that there are often additional required steps to complete before a method is used. For example, some Member States require notification and/or pre-authorization in order to use the SCCs, while all Member States require approval by the Data Protection Authority of data transfers on the basis of BCRs.
The Commission recognizes that these additional steps and alternative methods are more burdensome and costly to companies and as such, has intensified talks with the U.S. government to develop a framework for future transfers of personal data. The Commission hopes to conclude the discussion and offer up a solution in three months.
In the meantime, companies will need to continue to work with counsel to ensure they are meeting the current requirements for personal data transfers from the EU to the U.S.