As if were any surprise, last Friday, November 6, the EU Commission issued a Communication on the Transfer of Personal Data from the EU to the US, following the Judgment by the Court of Justice in Schrems declaring the Safe Harbor arrangement invalid (as previously discussed). In its Communication, the EU Commission emphasized the following: (1) the Safe Harbour arrangement can no longer serve as a legal basis for transfers of personal data to the US; and (2) the EU Commission commits to complete its negotiations with the US regarding a renewed framework for data transfers between the EU and US within three months.
The EU Commission’s Communication includes Guidance for companies on the use of alternative tools for transatlantic transfers of personal data until a new framework between the EU and US is put in place. The Commission promoted the use of Commission-approved Standard Contractual Clauses (“SCC”), stating that because Commission decisions are binding in their entirety in the Member States, incorporating the Commission-approved SCC’s in a contract means that national authorities are, in principle, under an obligation to accept those clauses. The Commission also explained, however, that companies are permitted to rely on other contractual agreements to demonstrate that their data transfers take place with sufficient safeguards, but that such agreements need to be approved on a case-by-case basis by national authorities.
The Commission also stated that, in order to comply with requirements necessary to transfer personal data from the EU to affiliates located outside the EU, a multinational company can adopt Binding Corporate Rules (“BCRs”). The Commission explained that BCRs must include substantive (e.g., purpose limitation, security of processing, transparent information to data subjects, restrictions on onward transfers outside the group, individual rights of access, rectification and opposition) and procedural (e.g., audits, monitoring of compliance, complaints’ handling, cooperation with Data Protection Authorities (“DPA”), liability and jurisdiction) requirements based on EU data protection standards. Further, the Commission indicated that most Member States require BCRs to be authorized by the DPA in each Member State from which the multinational company intends to transfer data. A standard application form has been created to speed up the application and approval process.
Notably, the Commission explained that the alternative data transfer mechanisms identified above are without prejudice to the independence and powers of the DPAs to examine the lawfulness of such transfers. Given the complexities associated with SCCs and BCRs, a renewed framework for transfers of personal data from the EU to the US is preferred because it would likely be more straightforward and contain fewer layers than the alternative mechanisms. Stay tuned for a potential agreement between the EU and the US to be reached in less than the three-month period identified in the Commission’s November 6, 2015 Communication.