We have all read the headlines (“You say Safe Harbor, we say Safe Harbour, let’s call the whole thing off?”), but what does the Court of Justice’s judgment in Schrems v Data Protection Commissioner C-362/14 mean for litigators?
There are two circumstances when litigators tend to think about data protection: as part of a disclosure exercise or when responding to a request from a foreign court or regulator. The Schrems judgment is about, “business-as-usual” transfers to the US, but it has meant that all transfers are increasingly in the spotlight.
Impact on disclosure
In relation to disclosure, the pressure to export personal data may stem from a desire to keep costs down. To the extent this is the reason, which admittedly it may well not be when exporting data to the US, the difficulty has always been that saving costs is not a legitimate reason, per se, from a data protection perspective.
By ruling that the Commission’s Decision 2000/520 is invalid, the Court of Justice has called a halt to relying on so-called Safe Harbour as a means of transferring personal data from the EEA to the US. In the short term, this means for any transfer of this kind to be legitimate, it needs to rely on other forms of protection. In its public statements, the Commission has been understandably keen to avoid disquiet. It points to model clauses and binding corporate rules that it says remain unaffected by the judgment. The Article 29 Working Party, which advises the Commission on data protection, has stated that, in the interim, these methods can still be used, but even they may not be sacrosanct in the event of a specific complaint. The Working Party suggests the solution may lie in an intergovernmental agreement between the EU and the US.
There are also derogations on which it is theoretically possible to rely. The one that usually springs to mind is the consent of the data subject. However, consent needs to be freely given, specific and informed. Demonstrating this is far from easy.
Impact on responding to requests from foreign courts or regulators
When considering responding to a foreign obligation to disclose data arising from US litigation or the request of a US regulator, companies need to exercise care. Allen & Overy partner, Nigel Parker, has explored some practical suggestions. Ideally, the company would only be collecting and retaining information required for business or regulatory reasons in the first place. Also, standard form notice and consent language would have been included in customer and employee terms and conditions and the registration with the Information Commissioner’s Office would clearly cover the potential transfer. In terms of responding to the request, it is important to establish that it has a clear legal basis. There is always merit in seeking further information and trying to negotiate to see if the request can be narrowed. Finally, minimising the data actually transferred and potentially anonymising or redacting the data are worth considering. In some cases, it will be possible to obtain a specific consent from individuals to undertake a particular disclosure and transfer of their personal data.
When it comes to the mechanics, the company should consider whether the request can be re-framed so that the transfer can be effected via a domestic authority, if the request comes from a US regulator or pursuant to the Hague Convention, or if it is in relation to US litigation.
US regulators and US courts that request “EU data” from US companies are sensitive to EU data privacy laws, but if and when they ultimately formally request the data, the consequences of non-compliance from a US perspective are likely to be severe. This pure conflict between legal regimes is what is most difficult to navigate. This will only become more pronounced if any new EU data protection regulation includes the power to impose significant fines.
The Article 29 Working Party has indicated that from the end of January 2016, if no political solution has been reached, coordinated enforcement may be one of the consequences. In the meantime, the best advice is to adopt a multi-layered approach to compliance so that companies can point to more than one basis for any transfer.