Archive for the ‘Binding Corporate Rules’ Category

EU / US fail to agree Safe Harbor replacement within deadline

Posted on February 1st, 2016 by

Only moments ago,  EU Justice Commissioner Věra Jourová reported to the European Parliament that “talks are ongoing” in relation to agreeing a replacement for the Safe Harbor framework.

Negotiating parties had hoped to strike a deal ahead of meetings between the EU data protection authorities on the topic of EU-US data transfers which shall take place in Brussels on 2nd / 3rd February.  Other headline points from Commissioner Jourová’s update to the European Parliament included that the new arrangement needs to be “fundamentally different from the old Safe Harbor” and “able to withstand any new challenges.”

According to the Commissioner, discussions are continuing in relation to four key points:

  • Limitations and safeguards as to access to data by US public authorities;
  • Independent oversight and individual redress;
  • The resolution of individual complaints; and
  • Binding commitments from the US side.

In terms of next steps, Commissioner Jourová is due to provide a progress update on the EU-US talks to her fellow EU Commissioners tomorrow.  Following that, we can expect a pivotal set of discussions between the EU data protection authorities on data transfer mechanisms and for transatlantic negotiations to recommence in earnest.

Amidst this uncertainty, rest assured that the Fieldfisher Privacy, Security and Information law team will keep you posted on any breakthrough in negotiations or other notable developments.

The slow but inexorable fall of Safe Harbor

Posted on January 31st, 2016 by

Recently, my colleague Phil Lee posted an obituary on Safe Harbor. The article was funny, a touch provocative, but especially well grounded. As we reach towards the end of January, never has the fate of Safe Harbour seemed so uncertain.

For those who have been following our blog, you’ll know that on October 6th, 2015, the Court of Justice of the European Union (“CJEU“) ruled in a ground-breaking decision that the “massive and indiscriminate surveillance” of EU citizens by US public authorities (as revealed by Edward Snowden) after their personal data has been transferred to the US, is incompatible with the fundamental right to the protection of personal data under European law. As a result, the Safe Harbor framework was declared invalid and the national data protection authorities (“DPAs“) were ordered to act accordingly under their respective national laws.

Soon after, the Article 29 Working Party (“WP29“) issued an opinion, which gave the EU and US officials in charge of re-negotiating the Safe Harbor framework (now referred to as the “Transatlantic Data Transfer Agreement”) until the end of January 2016 to reach an agreement. A failure to do so would mean that the DPAs would begin to coordinate enforcement actions across Europe. Several DPAs (such as the CNIL in France and the AGPD in Spain) did not wait for this deadline to expire to initiate “soft” enforcement measures such as sending notice letters to all registered data controllers in their respective countries informing them that Safe Harbor could no longer be relied upon to transfer personal data to the US and, as a result, those controllers needed to implement an alternative data transfer mechanism that would enable them to continue transferring data lawfully.

This has usually required companies to quickly sign an intragroup data transfer agreement incorporating the EU standard contractual clauses between all the entities of the group and to update their data processing registrations with the relevant DPAs, including (where required) to obtain the DPA’s prior approval to transfer personal data to the US. For the bolder and more perspicacious organizations, they may also have started discussing Binding Corporate Rules as a more solid data transfer solution but also as a global privacy compliance framework that will enable them to better comply with the upcoming General Data Protection Regulation (“GDPR“).

In recent days, EU officials have been publicly alluding to the fact that we are nowhere closer to reaching a new deal on Safe Harbor. The blocking points remain the same. On the one hand, the vote in the Senate on the USA Judicial Redress Act has been delayed. This is viewed by EU officials as an essential condition for reaching a new Safe Harbor agreement because it would grant the same rights to EU citizens. This could take a while…

On the other hand, the US and EU cannot seem to agree on a common position regarding access to EU personal data by US public authorities for law enforcement purposes and reasons of national security. This is by far the most contentious point. The European Commission’s top officials recently reminded that the European Union would not agree to a new transatlantic data transfer agreement unless both sides agree on this point. This raises fundamental legal, cultural and philosophical questions between Europe and the US. Whatever is decided in the end is likely to shape US-EU political and diplomatic relations for many years to come. Needless to say the negotiations are not over and concessions will need to be made on both sides if a deal is to be struck.

The question now is: what will happen when the clock strikes midnight on January 31st if no new Safe Harbor agreement is concluded? The more optimistic ones may still think that a last minute compromise is possible, but that is wishful thinking. The reality is that it is very unlikely now a deal will be struck before the end of January and, on the contrary, discussions will continue for several months at least. As stated by Isabelle Falque-Pierrotin (chairwoman of the CNIL and the WP 29) a few weeks ago, the end of January was never meant as a hard deadline but rather a sign that political leaders were committed to the task. Simultaneously, this does not mean that the DPAs will not engage in enforcement actions post January. I believe they will.

The impact this will have for companies will largely depend on what they have done in the last three months. Those who have acted immediately following the WP29’s guidance (or who are in the process of doing so) and have adopted EU model clauses as an alternative for transferring personal data to the US are in a better place than those who have done nothing and who were thinking (or hoping?) that a new agreement would be reached before the end of January, which would enable them simply to transition their transfers under the “new” Safe Harbor framework.

But here’s the interesting bit. The DPAs themselves have not yet reached a common position regarding the practical implications of the CJEU’s decision on other data transfer mechanisms, such as EU model clauses and BCR. The more conservative DPAs are calling for a general freeze on all data transfers, including those that are based on the EU model clauses or BCR on the grounds that these data export solutions do not legally prevent foreign authorities in the importing countries from accessing EU data for law enforcement purposes. The more business-friendly DPAs are more focused on the consequences this would have for businesses if all means for transferring personal data are frozen.

As you can see, not only is the fate of a new Safe Harbor agreement uncertain, but also, it is unclear at this point how the DPAs will decide to enforce the CJEU’s decision on other data export solutions. The WP29 is holding a plenary meeting on February 2nd and is expected to reach a common position on this issue. Once again, the outcome of this meeting is twofold. Either the WP29 adopts a strict and extensive interpretation of the CJEU’s decision, which as a consequence, would mean that all transfers of personal data to the US would be prohibited (including those that are based on the EU model clauses or BCR). This would have a catastrophic effect on the economy, not to mention that it would seriously impede transatlantic relations. Or else, the WP29 decides (in line with its previous opinion) that companies may continue to transfer personal data on the grounds of the EU model clauses and BCR.

The final outcome could be found somewhere between those two lines. One solution could be to ask companies to adopt additional measures, such as an anti-surveillance pledge, under which the business would pledge not to disclose individuals’ data to government or law enforcement authorities unless either (1) legally compelled to do so (for example, by way of a warrant or court order), or (2) there is a risk of serious and imminent harm were disclosure to be withheld.

Let us also not forget that under the new article 43a of the GDPR, “Any judgment of a court or tribunal and any decision of an administrative authority of a third country requiring a controller or processor to transfer or disclose personal data may only be recognised or enforceable in any manner if based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State.” The terms are clear and Europe has set its conditions. Once in force, this provision will apply to all third countries, including China, Russia and India.

Stay tuned for more updates on Safe Harbor in the coming days.

This article was first published on the IAPP’s website under The Privacy Advisor.

By Olivier Proust, Of Counsel, Privacy Security & Information.

Why you shouldn’t rely on consent for (most) data transfers.

Posted on January 13th, 2016 by

Some time back, I did a short post on LinkedIn warning my contacts not to rely on consent as a basis for legalizing their data transfers from the EU.  The post generated such an overwhelming response – both from those who agreed, and also from a few who disagreed, that I felt it merited slightly longer explanation here.  So here goes:

The EU data export prohibition

As all readers of this blog will know, the EU Data Protection Directive prohibits transfers of personal data out of the European Economic Area (Art 25(1)) unless the transferring organization either:

(a) transfers the data to a territory deemed to provide ‘adequate’ protection by the European Commission;

(b) can show that a data export exemption applies, or

(c) puts in place a lawful data export solution with the recipient of the data (i.e. model clauses or BCR).

To date, only a handful of non-EEA countries have been declared adequate by the European Commission (i.e. point (a) above), and a list of those countries is available here.

This means that for most data exporting organizations, they are looking either to show that a data export exemption applies (point (b) above) or that they have a data export solution in place (point (b) above).

Data export ‘exemptions’

Exemptions from the data export prohibition are set out in Article 26(1) of the Directive and – you can probably guess what’s coming – these exemptions include the data subject’s ’unambiguous’ consent.  Put another way, if your data subject understands that you are transferring his or her data internationally, the (potential) consequences of this international transfer, and unambiguously indicates his or her agreement, then the transfer is exempt from the data transfer prohibition.

Sounds good, doesn’t it – but hold your horses.  The lawyers among you will know that legislative exemptions are, by their nature, meant to be construed very narrowly.  That means they should not be ‘the first port of call’ you turn to, but rather applied only when other, more protective, options have been exhausted.  (More on this below.)

Not only that, but the requirement for ‘unambiguous’ consent is a very high threshold to satisfy.  Simply ‘burying’ consent language within a privacy policy isn’t good enough – the consent needs to be presented in a way that is presented much more prominently to data subjects (and who ever saw an international data transfers tick box on a website?)  Remember too that, in certain types of controller/data subject relationships (e.g. an employer/employee relationship), EU regulators generally consider it more-or-less impossible to obtain a valid consent.

Data export ‘solutions’

By contrast, model clauses and BCR are data export solutions, enabled by Art 26(2) of the Directive.  These solutions are designed to enable data transfers to non-EEA countries by virtue of ensuring “adequate safeguards with respect to the protection of the privacy and fundamental rights and freedoms of individuals”.

What this means is that, unlike consent, they are not simply legal exemptions that effectively disapply the ‘adequacy’ protection the law otherwise would provide individuals.  Rather, they work with this adequacy requirement by introducing controls into the relationship between the transferor and recipient to ensure that the data remains protected even when it is outside the EEA.

For this reason, data export solutions, like model clauses and BCR, should always be preferred over Art 26(1) legal exemptions, like consent.  Art 26(1) exemptions are meant to be applied only when model clauses and BCR are genuinely inappropriate or unavailable for the particular transfer at hand.

When you stop and think about this, it all makes sense.  For very obvious reasons, data protection regulators will always favor solutions that provide an ongoing protection for individuals’ data outside the EEA, as opposed to reliance on consent where the individual is effectively waiving ‘adequate’ protection.  That makes model clauses and BCR a much more robust basis for conducting data exports.

What the regulators say

You don’t have to take my word for it though.  Here’s what the Article 29 Working Party have to say on the issue in their “Working document on a common interpretation of Article 26(1) of Directive 95/46/EC of 24 October 1995” (available here):

Although the use of the derogations per se does not imply in all cases that the country of destination does not ensure an adequate level of protection, it does not ensure that it does either. As a consequence, for an individual whose data have been transferred, even if he has consented to the transfer, this might imply a total lack of protection in the recipient country, at least in the sense of the provisions of Article 25 or 26(2) of directive 95/46…

Furthermore, in the light of experience, the Working Party suggests that consent is unlikely to provide an adequate long-term framework for data controllers in cases of repeated or even structural transfers for the processing in question.Relying on consent may therefore prove to be a “false good solution”, simple at first glance but in reality complex and cumbersome…

If the level of protection in the third country is not adequate in the light of all the circumstances surrounding a data transfer, the data controller should consider Article 26(2), i.e., providing adequate safeguards through, for example, the standard contractual clauses or binding corporate rules. Only if this is truly not practical and/or feasible, then the data controller should consider using the derogations of Article 26(1). 

Further in line with this logic, the Working Party would recommend that the derogations of Article 26(1) of the Directive should preferably be applied to cases in which it would be genuinely inappropriate, maybe even impossible for the transfer to take place on the basis of Article 26(2). 

The Working Party would find it regrettable that a multinational company or a public authority would plan to make significant transfers of data to a third country without providing an appropriate framework for the transfer, when it has the practical means of providing such protection (e.g. a contract, BCR, a convention). 

It is in particular for this reason that the Working Party would recommend that transfers of personal data which might be qualified as repeated, mass or structural should, where possible, and precisely because of these characteristics of importance, be carried out within a specific legal framework (i.e. contracts or binding corporate rules).

And here’s the European Commission echoing that sentiment in their ‘Frequently Asked Questions Relating to Transfers of Personal Data from the EU/EEA to Third Countries (available here):

…the derogations in Article 26(1) of the Directive should be interpreted restrictively and preferably be applied to cases in which it would be genuinely inappropriate, or even impossible, for the transfer to take place on the basis of Article 26(2), i.e., providing adequate safeguards through, for example, (the standard) contractual clauses or binding corporate rules. Only if this is truly not practical and/or feasible should the data controller consider using the derogations in Article 26(1). 

This is the case in particular for transfers of personal data that might be described as repeated, mass or structural. These transfers should, where possible, and precisely because of their importance, be carried out within a specific legal framework (Article 25 or 26(2)). Only for instance when recourse to such a legal framework is impossible in practice can these mass or repeated transfers be legitimately carried out on the basis of Article 26(1).” (emphasis added)

Why this matters

Since the fall of Safe Harbor, many organizations have been scrambling to new data export models to legitimize data transfers from the EU to the US, in particular.  Often consent is one of the first things they consider, under an understandable but ultimately mistaken belief that building some consent language into the privacy policy will fix the problem.  It doesn’t.

Ultimately, what this means for your organization is that, if your post-Safe Harbor data export strategy is built around reliance on consent, then you need to take a long, hard look at whether this really is an appropriate mechanism.  Often, it won’t be, in which case now is the time to take stock and consider moving to a strategy built around model clauses or BCR instead.

DPAs react to the CJEU’s decision on Safe Harbor

Posted on October 22nd, 2015 by

Since the CJEU’s decision of 6 October 2015 revoking the EU/US Safe Harbor program, Safe Harbor continues to make the headlines and there are new legal developments each day. This blog post summarizes the public statements that were made in recent days by the data protection authorities (DPAs) in the EU and regulators in other parts of the world.

Reaction of the European DPAs

On 16 October 2015, the Article 29 Working Party (WP 29) issued a public statement which says that the DPAs have discussed the consequences of the CJEU’s decision. The position of the WP 29 is summarized below.

What is the WP 29’s analysis of the CJEU’s decision on Safe Harbor?

Unsurprisingly, the WP 29 says “it is clear that companies can no longer rely on Safe Harbor to transfer their data to the US“. If companies are still doubting whether their transfers under Safe Harbor are lawful, the WP 29 confirms that “transfers that are still taking place under the Safe Harbor decision are now considered to be unlawful.

The WP 29 also states: “It is absolutely essential to have a robust, collective and common position on the implementation of the judgment“.

The WP 29 highlights that “the question of massive and indiscriminate surveillance is a key element of the Court’s analysis” and “such surveillance is incompatible with the EU legal framework“. The WP 29 makes a particularly bold statement by saying that “countries where the powers of state authorities to access information go beyond what is necessary in a democratic society will not be considered as safe destinations for transfers“, which it would seem is addressed at the US authorities.

What should companies do?

Unfortunately, the WP 29 does not provide a lot of practical guidance for companies. It simply says that “businesses should reflect on the possible risks that they are taking when transferring data and should consider putting in place any legal and technical solution in a timely manner to mitigate those risks and respect the EU data protection acquis“.

Two points are worth highlighting. First, the WP 29 calls upon companies to assess their level of compliance for all types of data transfers, not just those that are based on Safe Harbor. Second, companies need to do so in a “timely manner” which is the WP 29’s way of saying that there is no time to lose. Those companies who have already begun to implement measures to enforce the Safe Harbor decision are in a better position compared with those who haven’t.

Does the CJEU’s decision affect other data transfer mechanisms (e.g., the EU Model Clauses and Binding Corporate Rules)?

The WP 29 says that it “will continue to analyse the impact of the CJEU’s judgment on other data transfer tools“, which in itself is not very reassuring given the reactions of some of the DPAs. In Germany, for example, the data protection authority for the German state of Schleswig-Holstein issued a position paper in which it declares the EU model contract clauses invalid.

Nonetheless, the WP 29 does convey a more reassuring message to companies by saying that “EU model clauses and BCR can still be used”. At this point, it is difficult to predict what will be the impact of the Safe Harbor decision on Model Clauses and BCR and so we will continue to monitor the situation in the weeks to come.

How will the DPAs enforce the CJEU’s decision?

The good news is that the WP 29 has granted a grace period to find an appropriate solution with the US authorities. The bad news is that this grace period will expire at the end of January 2016, which leaves very little time for companies to adapt.

Until then, if no solution has been found (a Safe Harbor 2.0?) and depending on the assessment that is made by the WP 29 of the other data transfer mechanisms, then “the DPAs are committed to take all necessary and appropriate actions, which may include coordinated enforcement actions“. As we have seen in recent months on other issues (such as mobile apps and cookies) the DPAs have demonstrated their ability to conduct pan-European enforcement actions. However, one should not forget that, even if the DPAs do launch a coordinated enforcement action, the actual enforcement measures can only be pronounced by each DPA at a national level. And the new enforcement provisions under the upcoming General Data Protection Regulation (GDPR) will not come into force before 2018 (assuming the text of the GDPR is formally adopted in 2016).

In the meantime, the WP 29 reminds that each national DPA can “investigate particular cases, for instance on the basis of complaints, and exercise their powers in order to protect individuals“, which means that each DPA can act independently against any company in accordance with its national law.

The WP 29 also says that the DPAs “will also put in place appropriate information campaigns at national level to ensure that stakeholders are sufficiently informed“, which may include “direct information to all known companies that used to rely on the Safe Harbor decision as well as general messages on the DPAs’ websites“. And so, companies who have filed their DPA notifications and/or obtained the approval of the DPAs to transfer data to the US on the basis of Safe Harbour could be contacted by the DPAs in the days or weeks to come and should therefore be prepared to explain to the DPAs what remediation measures they have put in place.

What next?

The WP 29 says that it “is urgently calling on the EU Member States and the European institutions to open discussions with the US authorities in order to find a political, legal and technical solution that enables companies to transfer personal data to the US in compliance with respect for fundamental rights. Such solutions could be found through the negotiations of an intergovernmental agreement providing stronger guarantees to EU data subjects“. It is interesting to note that the WP 29 does say that “the current negotiations around a new Safe Harbor could be a part of the solution” and so it has willingly left that window open.

The WP 29 also states: “The task that lies ahead to find a sustainable solution in order to implement the CJEU’s decision must be shared between the DPAs, the EU institutions, EU Member States and businesses“. With the GDPR soon to be adopted, this will be a challenge to get all the stakeholders to agree on a new Safe Harbor framework that complies with the provisions of the GDPR.

Reaction of the regulators in other parts of the world

The Safe Harbor decision has also caused a ripple effect beyond the European Union borders and regulators in other parts of the world have also reacted to the CJEU’s decision.

United States:

The US Department of Commerce published an advisory on the Safe Harbor website stating: “In the current rapidly changing environment, the Department of Commerce will continue to administer the Safe Harbor program, including processing submissions for self-certification to the Safe Harbor Framework“. Once fails to see how the Department of Commerce can actually continue to process submissions for self-certification to Safe Harbor when clearly such transfers are now unlawful under European law.


On October 19th, the Israeli Law, Information and Technology Authority (ILITA) issued a statement in which it revokes its prior authorization to transfer data from Israel to the U.S. on the basis of Safe Harbor. Pursuant to the data protection laws of Israel, transfers of data outside of Israel to third countries is permitted if the data is sent to a country that receives data from the EU under the same terms of acceptance. However, the CJEU’s decision invalidates the authorization to transfer personal data from Europe to companies committed to the Safe Harbor. Consequently, the position of ILITA is that organizations can no longer rely on this derogation as a basis for the transfer of personal data from Israel to organizations in the United States.

In the absence of an alternative valid arrangement or another formal decision of the EU with respect to the transfer of data from the EU to the US, companies who want to transfer personal data from Israel to the US are therefore required to assess whether they can legitimize their transfers on one of the other derogations set out in the data protection law of Israel.


On 7th October, 2015, the Swiss Data Protection Authority (FDPIC) issued a first press release on its website stating that the Swiss/US Safe Harbor decision “is also called into question” by the CJEU’s decision. “As far as Switzerland is concerned, in the event of renegotiation, only an internationally coordinated approach that includes the EU is appropriate.”

On 22nd October 2015, the FDPIC made a second statement which says that “as long as Switzerland has not renegotiated a new Safe Harbor Framework with the United States, Safe Harbor cannot be deemed a valid legal mechanism for transferring personal data to the US.” It would seem, therefore, that without officially revoking the Swiss/US Safe Harbor program, it is de facto no longer possible for Swiss based companies to transfer personal data to the US on the grounds of Safe Harbor.

Without explicitly mentioning any enforcement actions, the FDPIC calls upon businesses who are transferring personal data to the US to adapt their contracts with US companies before the end of January 2016. The FDPIC will also coordinate with the EU DPAs to determine what other actions may be required to protect the fundamental rights of the individuals.

By Olivier Proust

Europe now holds the key to the future of privacy

Posted on October 10th, 2015 by

A lot is being said about the CJEU’s ruling on Safe Harbour. Without any doubt, for the privacy community this is the most important legal development since the EU Commission’s announcement of a revision to the Data Protection Directive of 1995. What the Court’s ruling shows us is that privacy has become a major area of law and an absolute priority in terms of compliance for any company.

Among the many issues that this decision raises, I’d like to focus on two key issues. The first is enforcement. Many companies are wondering what is the risk for them now that Safe Harbor has been pronounced invalid. As a lawyer, I believe there is no point in arguing the CJEU’s ruling (click here to read our analysis of the CJEU’s ruling in the Max Schrems case). Some may disagree with it, but it is now the law in Europe, and we need to accept it.

As a practitioner, however, I think we need to analyse the Court’s decision in a practical and pragmatic manner. Strictly from a legal point of view, the CJEU’s decision leaves no room for interpretation: Safe Harbor is invalid, and so companies can no longer rely on it to transfer their data to the U.S. But, in practical terms, it is unrealistic to think that EU companies will suddenly pull the plug and stop transferring their data to the U.S.

Technically, I’m not sure this is feasible, and, certainly, this would have a devastating effect on our economy and on the relations between the EU and the U.S. It also seems unlikely that the national data protection authorities (DPAs) will suddenly begin to investigate companies, or worse, to sanction them because they continue to transfer personal data to the U.S. Let us not forget that in many EU member states, the national DPAs have approved the transfers of data to the U.S. on the basis of Safe Harbor. In my opinion, it would make no sense, and would serve no real purpose, if the DPAs would suddenly repeal the approvals that they have granted to thousands of companies over the last 15 years.

That is not to say that the DPAs will take no action. On the contrary, there is now a high expectation for companies to reassess their data flows and, where needed, to implement new measures for transferring data outside the EU. It is also important to note that, while Safe Harbor can no longer be used as a legal basis for transferring data outside the EU, the measures that companies have put in place to comply with the Safe Harbor principles should remain valid. In the end, what really matters is whether and how companies are safeguarding the data they transfer outside the EU, regardless of the legal basis on which they rely to do so. And so, as a short-term solution, a decision from the DPAs to grant companies a grace period that would allow them to leverage the efforts they have made in the past in order to transition toward another data-transfer mechanism would certainly be welcome. At the same time, let’s not be naïve. The CJEU’s ruling empowers the DPAs tremendously and, once the General Data Protection Regulation (GDPR) is finally adopted, they will have unprecedented powers to investigate and sanction companies. So the clock has already begun to tick for those companies that were relying on Safe Harbor…

The second point I’d like to make is that the national DPAs have here a unique opportunity to send a clear and consistent message to the world. Some people are already commenting—rightfully so!—that there is risk that the court’s decision will be interpreted differently by the DPAs in their respective jurisdictions, which would result in a patchwork of different interpretations and solutions across Europe. Well, I think the situation demands that the Article 29 Working Party adopt a common and unified position. Too often, Europe has been criticised for its lack of harmonisation and its fragmented approach to law. Now is the moment to show the world that Europe can speak in harmony. If the DPAs fail to seize this moment, the risk is that the relations between the EU and the U.S. will be significantly damaged, and this will leave literally thousands of companies in a limbo.

As for the issue regarding the disclosure of personal data to foreign authorities, which is really the pivotal issue here, the CJEU’s ruling has repercussions beyond Safe Harbor because it concerns data transfers as a whole—meaning that the analysis can be applied to adequacy decisions, the EU model clauses and Binding Corporate Rules. Thus, the CJEU’s decision calls for EU legislators to adopt a coherent and consistent position on this issue across the different legal frameworks that are currently being prepared: the GDPR, the “new” Safe Harbor framework and the so-called Umbrella Agreement on the transfers of personal data between the EU and the U.S. for justice and law-enforcement purposes. And so, once again, consistency seems to be the key word to ensure that a fair balance is found between the protection of the individual’s privacy and the freedom to conduct business—both of which are fundamental rights under the European Charter of Fundamental Rights.

Europe may be holding the key to the future of privacy, but it needs to embrace this future with a clear, pragmatic and realistic vision. Otherwise, I fear the upcoming GDPR will fail to achieve its goal.

This article was first published in the IAPP’s Europe Data Protection Digest on 9th October 2015.

What data protection reform would look like if it were up to me.

Posted on September 16th, 2015 by

Earlier today I attended a superb session of the Churchill Club in Palo Alto, at which the European Data Protection Supervisor was speaking on data protection and innovation.  As he spoke about the progress of the EU General Data Protection Regulation and what its impacts would be upon business, I found myself given to thinking about what EU data protection reform would be like if it were up to me.

Of course, this is by definition somewhat of a navel gazing exercise because EU data protection reform is not up to me.  Nevertheless, I thought I would at least share some of my thoughts to see to what extent they strike a chord with readers of our blog – and, perhaps, even reach the ears of those who do make the law.

So, if you’ll allow me this indulgence, here’s what my reforms would do:

1.  They would strike a balance between supporting privacy rights, economic and social well-being and innovation.  Fundamentally, I support the overarching goals of the GDPR described in its recitals – namely that “the principles and rules on the protection of individuals with regard to the processing of their personal data should …. respect their fundamental rights and freedoms, notably their right to protection of personal data” and that those rules should “contribute to an area of freedom, security and justice …, to economic and social progress, … and the well-being of individuals.”  Yet, sometimes within the draft texts of the GDPR, this balance has been lost, with provisions swinging so far towards conservatism and restrictiveness, that promotion of economic progress – including, critically for any economy, innovation – gets lost.  If it were up to me, my reforms would endeavour to restore this balance through some of the measures described below.

2.  They would recognize that over-prescription drives bad behaviours.  A problem with overly-prescriptive legislation is that it becomes inherently inflexible.  Yet data protection rules need to apply across all types of personal data, across all types of technologies and across all sectors.  Inevitably, the more prescriptive the legislation, the less well it flexes to adapt to ‘real world’ situations and the more it discourages innovation – pushing otherwise would-be good actors into non-compliance.  And, when those actors perceive compliance as unobtainable, their privacy programs become driven by concerns to avoid risk rather than to achieve compliance – a poor result for regulators, businesses and data subjects alike.  For this reason, my data protection reforms would focus on the goals to be achieved (data stays protected) rather than on the means of their achievement (e.g. specifying internal documentation needs).  This is precisely why the current Data Protection Directive has survived as long as it has.

3.  They would provide incentives for pseudonymisation.  Absent a few stray references to pseudonymisation here and there across the various drafts of the GDPR, there really is very little to incentivise adoption of pseudonymisation by controllers – psuedonymised data are protected to exactly the same standard as ‘ordinary’ personal data.  Every privacy professional recognizes the dangers of re-identification inherent in pseudonymised data, but treating it identically to ordinary personal data drives the wrong behaviour by controllers – perceiving little to no regulatory benefit to pseudonymisation, controllers decline to adopt pseudonymisaion for cost or other implementation reasons.  My reforms would explore whether pseudonymisation could be incentivised to encourage its adoption, for example by relaxing data minimization, purpose limitation or data export rules for pseudonymised data, in addition to existing proposals for relaxed data breach notification rules.

4.  They would recognize the distinct role of platforms.  European data protection professionals still operate in a binary world – businesses are either ‘data controllers’ or ‘data processors’.  Yet, increasingly, this binary division of responsibility and liability doesn’t reflect how things operate in reality – and especially in an app-centric world operating over third party cloud or mobile platforms.  The operators of these platforms don’t always sit neatly within a ‘controller’ or a ‘processor’ mold yet, vitally, are the gatekeepers through which the controllers of apps have access to the highly sensitive information we store on their platforms – our contact lists, our address books, our health data and so on.  We need an informed debate as to the role of platforms under revised data protection rules.

5.  They would abandon outdated data export restrictions.  It’s time to have a grown up conversation about data exports, and recognize that current data export rules simply do not work.  Who honestly believes that a model contract protects data?  And how can European regulators promote Binding Corporate Rules as a best practice standard for data export compliance, but then insist on reviewing each and every BCR applicant when they are too poorly resourced to do so within any kind of commercially acceptable timescale?  And how can we possibly complain about the US having poor Safe Harbor enforcement when we have little to no enforcement of data export breaches at home in the EU?  Any business of scale collects data internationally, operates internationally, and transfers data internationally; we should not prohibit this, but should instead have a regulatory framework that acknowledges this reality and requires businesses to self-assess and maintain protection of data wherever it goes in the world.  And, yes, we should hold businesses fully accountable when they fail to do so.

6.  They would recognise that consent is not a panacea.  There’s been a strong narrative in Europe for some time now that more data processing needs to be conditioned on individuals’ consent.  The consensus (and it’s not a wholly unfair one) is that individuals have lost control of their data and consent would somehow restore the balance.  It’s easy to have sympathy for this view, but consent is not all it’s cracked up to be.  Think about it, if consent were a requirement of processing, how would businesses be forced to respond?  Particularly within the European legislative environment that considers almost all types of data to be ‘personal’ and therefore regulated?  The answer would be a plurality of consent boxes, windows and buttons layered across every product and service you interact with.  And, to make matters worse, the language accompanying these consents would invariably become excessively detailed and drafted using ‘catch-all’ language to avoid any suggestion that the business failed to collect a sufficiently broad consent.  Clearly, there are places where consent is merited (collection and use of sensitive data being a prime example) but for other uses of data, a well-structured data protection regime would instead promote the use of legitimate interests and other non-consent based grounds for data processing – backed, of course, by effective regulatory audit and sanctions in order to provide the necessary checks and balances.

So there you have it.  Those are just a few of my views – I have others, but I’ll spare you them for now, and no doubt you’ll have views of your own.  If you agree with the views above, then share them; if you don’t, then share them anyway and continue the debate.  We’ll only ever achieve an appropriate regulatory framework that balances the needs of everyone if we all make our voices heard, debate hard, and strive to reach consensus on the right data protection regime fit for the future!

Handling government data requests under Processor BCR

Posted on June 2nd, 2015 by

Earlier today, the Article 29 Working Party published some new guidance on Processor BCR. There’s no reason you would have noticed this, unless you happen to be a BCR applicant or regularly visit the Working Party’s website, but the significance of this document cannot be overstated: it has the potential to shape the future of global data transfers for years to come.

That’s a bold statement to make, so what is this document – Working Party Paper WP204 “Explanatory Document on the Processor Binding Corporate Rules” – all about? Well, first off, the name kind of gives it away: it’s a document setting out guidance for applicants considering adopting Processor BCR (that’s the BCR that supply-side companies – particularly cloud-based companies – are all rushing to adopt). Second, it’s not a new document: the Working Party first published it in 2013.

The importance of this document now is that the Working Party have just updated and re-published it to provide guidance on one of the most contentious and important issues facing Processor BCR: namely how Processor BCR companies should respond to government requests for access to data.

Foreign government access to data – the EU view

To address the elephant in the room, ever since Snowden, Europe has expressed very grave concerns about the ‘adequacy’ of protection for European data exported internationally – and particularly to the US. This, in turn, has led to repeated attempts by Europe to whittle away at the few mechanisms that exist for lawfully transferring data internationally, from the European Commission threatening to suspend Safe Harbor through to the European Parliament suggesting that Processor BCR should be dropped from Europe’s forthcoming General Data Protection Regulation (a suggestion that, thankfully, has fallen by the wayside).

By no means the only concern, but certainly the key concern, has been access to data by foreign government authorities. The view of EU regulators is that EU citizens’ data should not be disclosed to foreign governments or law enforcement agencies unless strict mutual legal assistance protocol has been followed. They rightly point out that EU citizens have a fundamental right to protection of their personal data, and that simply handing over data to foreign governments runs contrary to this principle.

By contrast, the US and other foreign governments say that prompt and confidential access to data is often required to prevent crimes of the very worst nature, and that burdensome mutual legal assistance processes often don’t allow access to data within the timescales needed to prevent these crimes. The legitimate but conflicting views of both sides lead to the worst kind of outcome: political stalemate.

The impact of foreign government access to data on BCR

In the meantime, businesses have found themselves trapped in a ‘no man’s land’ of legal uncertainty – the children held responsible for the sins of their parent governments. Applicants wishing to pursue Processor BCR have particularly found themselves struggling to meet its strict rules concerning government access to data: namely that any “request for disclosure should be put on hold and the DPA competent for the controller and the lead DPA for the BCR should be clearly informed about it.” (see criteria 6.3 available here)

You might fairly think: “Why not just do this? If a foreign government asks you to disclose data, why not just tell them you have to put it on hold until a European DPA sanctions – or declines – the disclosure?” The problem is that reality is seldom that straightforward. In many jurisdictions (and, yes, I’m particularly thinking of the US) putting a government data disclosure order “on hold” and discussing it with a European DPA is simply not possible.

This is because companies are typically prohibited under foreign laws from discussing such disclosure orders with ANYONE, whether or not a data protection authority, and the penalties for doing so can be very severe – up to and including jail time for company officers. And let’s not forget that, in some cases, the disclosure order can be necessary to prevent truly awful offences – so whatever the principle to be upheld, sometimes the urgency or severity of a particular situation will simply not allow for considered review and discussion.

But that leaves companies facing the catch-22. If they receive one of these orders, they can be in breach of foreign legal requirements for not complying with it; but if they do comply with it, they risk falling foul of European data protection rules. And, if you’re a Processor BCR applicant, you might rightly be wondering how on earth you can possibly give the kind of commitment that the Working Party expects of you under the Processor BCR requirements.

How the Working Party’s latest guidance helps

To their credit, the Working Party have acknowledged this issue and this is why their latest publication is so important. They have updated their BCR guidance to note that “in specific cases the suspension and/or notification [to DPAs of foreign government data access requests] are prohibited”, including for example “a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation”. In these instances, they expect BCR applicants to use “best efforts to obtain the right to waive this prohibition in order to communicate as much information as it can and as soon as possible”.

So far, so good. But here’s the kicker: they then say that BCR applicants must be able to “demonstrate” that they exercised these “best efforts” and, whatever the outcome, provide “general information on the requests it received to the competent DPAs (e.g. number of applications for disclosure, type of data requested, requester if possible, etc.)” on an annual basis.

And therein lies the problem: how does a company “demonstrate” best efforts in a scenario where a couple of NSA agents turn up on its doorstep brandishing a sealed FISA order and requiring immediate access to data? You can imagine that gesticulating wildly probably won’t cut it in the eyes of European regulators.

And what about the requirement to provide “general information” on an annual basis including the “number of applications for disclosure”? In the US, FISA orders may only be reported in buckets of 1,000 orders – so, even if a company received only one or two requests in a year, the most it could disclose is that it received between 0 and 999 requests, making it seem like government access to their data was much more voluminous than in reality it was.

I don’t want problems, I want solutions!!!

So, if you’re a Processor BCR applicant, what do you do? You want to see through your BCR application to show your strong commitment to protecting individuals’ personal data, and you certainly don’t want to use a weaker solution, like Model Clauses or Safe Harbor that won’t carry equivalent protections. But, at the same time, you recognize the reality that there will be circumstances where you are compelled to disclose data and that there will be very little you can do – or tell anyone – in those circumstances.

Here’s my view:

  • First off, you need a document government data access policy. It’s unforgivable in this day and age, particularly in light of everything we have learned in the past couple of years, not to have some kind of written policy around how to handle government requests for data. More importantly, having a policy – and sticking to it – is all part and parcel of demonstrating your “best efforts” when handling government data requests.
  • Second, the policy needs to identify who the business stakeholders are that will have responsibility for managing the request – and, as a minimum, this needs to include the General Counsel and, ideally, the Chief Privacy Officer (or equivalent). They will represent the wall of defense that prevents government overreach in data access requests and advise when requests should be challenged for being overly broad or inappropriately addressed to the business, rather than to its customers.
  • Third, don’t make it easy for the government. They want access to your data, then make them work for it. It’s your responsibility as the custodian of the data to protect your data subject’s rights. To that end, ONLY disclose data when LEGALLY COMPELLED to do so – if access to the data really is that important, then governments can typically get a court order in a very short timeframe. Do NOT voluntarily disclose data in response to a mere request, unless there really are very compelling reasons for doing so – and reasons that you fully document and justify.
  • Fourth, even if you are under a disclosure order, be prepared to challenge it. That doesn’t necessarily mean taking the government to court each and every time, but at least question the scope of the order and ask whether – bearing in mind any BCR commitments you have undertaken – the order can be put on hold while you consult with your competent DPAs. The government may not be sympathetic to your request, particularly in instances of national security, but that doesn’t mean you shouldn’t at least ask.
  • Fifth, follow the examples of your peers and consider publishing annual transparency reports, a la Google, Microsoft and Yahoo. While there may be prohibitions against publishing the total numbers of national security requests received, the rules will typically be more relaxed when publishing aggregate numbers of criminal data requests. This, in principle, seems like a good way of fulfilling your annual reporting responsibility to data protection authorities and – in fact – goes one step further: providing transparency to those who matter most in this whole scenario, the data subjects.
  • So why does the Working Party’s latest opinion matter so much? It matters because it’s a vote of confidence in the Processor BCR system and an unprecedented recognition by European regulatory authorities that there are times when international businesses really do face insurmountable legal conflicts.

    Had this opinion not come when it did, the future of Processor BCR would have been dangerously undermined and, faced with the prospect of Safe Harbor’s slow and painful demise and the impracticality of Model Clauses, would have left many without a realistic data export solution and further entrenched a kind of regulatory ‘Fortress Europe’ mentality.

    The Working Party’s guidance, while still leaving challenges for BCR applicants, works hard to strike that hard-to-find balance between protecting individuals’ fundamental rights and the need to recognize the reality of cross-jurisdicational legal constraints – and, for that, they should be commended.

    EU data exports – choosing the least worst option?

    Posted on April 3rd, 2015 by

    Data, as anyone doing privacy on a global scale will tell you, knows no boundaries.  It can be collected in country A, routed through countries B, C, and D, and come to rest on servers in country E.  Those servers are likely then maintained by a third party in country F, with subcontracted support from another third party provider in country G.
    All that is well and good, but what do you do when country A happens to be within Europe, and any one or more of countries B through G are outside of Europe?  Europe’s aging Data Protection Directive tells you that if any of that data is personal in nature, then its transfer outside of the Europe is forbidden.  Forbidden, that is, unless you have an “adequate” data export solution in place.
    So the good news is that you can export data internationally if you have an “adequate” solution in place, and the even better news is that there’s not one solution but three!  Phew!  Your choices are either:
    • sign up to the US-EU Safe Harbor Framework – a voluntary privacy framework for US-based importers of data, 
    • execute so-called EU Model Clauses – also known as Standard Contractual Clauses) – standard form, non-negotiable data export agreements approved by the European Commission, or
    • implement Binding Corporate Rules – a binding organizational data governance policy framework reviewed and approved by European data protection authorities.
    So far, so good.  But then comes the problem: each of these solutions suffers from some serious drawbacks that either makes it commercially infeasible (Model Clauses), mistrusted by European customers and regulators (Safe Harbor), or subject to a lengthy regulatory approval process that  puts off well-intentioned businesses that would otherwise be willing to adopt it (BCR).
    A perilous future for Safe Harbor?
    To illustrate the issue, today roughly 4,000 US businesses rely on Safe Harbor to import personal data from Europe.  However, following the Snowden revelations, European legislators and regulators are increasingly reluctant to recognize the validity of Safe Harbor – believing that it no longer (or perhaps, never) provides “adequate” protection for data and, as such, should be suspended or revoked.  See here and here, for example.
    Indeed, one case currently before the European Court of Justice, may well decide Safe Harbor’s fate once and for all.  In Schrems v the Irish Data Protection Commissioner (Case C-362/14), one of the points the Court has to consider is whether Safe Harbor does in fact provide “adequate” protection for European data exports; if it decides the answer is no, then Safe Harbor could well be over.
    But, frankly, whether or not that happens is largely an academic point.  Many US importers already find EU customers will refuse to contract with them if they rely on Safe Harbor.  And, even if it survives this court case, the European Commission has been threatening for some time to suspend Safe Harbor.  With this level of ongoing uncertainty, it’s inevitable that businesses are looking to other options available to them
    The problem with Model Clauses

    In nearly all cases, they next turn to Model Clauses as the solution to their data export woes.  On one level, doing so makes a lot of sense: Model Clauses are the darling of the regulatory community (after all, they created them), contain robust data protection terms, and so are often considered a ‘guaranteed compliant’ solution for the customers that use them.
    The reality, though, is something different.  Model Clauses neither provide the protection for data that customers and regulators think they do, nor are they actually complied with in practice – more often than not, they’re signed, put in a drawer and forgotten about.  For data importing vendors, they are also woefully impractical – containing subcontracting controls that are unrealistic, excessive audit rights, and no liability limitations.  And, to add to all this, where lengthy international subcontracting chains are involved, exporters and importers will often be looking an an extremely complicated web of Model Clause contracts to prepare and sign.
    Taking that all into account, what right-minded person would really want to entrust any transfer of data to something so complicated and unworkable in practice?
    Which leaves BCRs
    With Safe Harbor on its last legs, and model clauses suffering from all manner of problems, then the final remaining solution available to data importers is Binding Corporate Rules.  In themselves, BCRs are a fine solution and often thought of (rightly) as the gold standard for data exports from the EU – after all, they have to get reviewed and signed off by European regulators.  
    Further, the business adopting BCRs gets to draft them in a way that reflects the particular characteristics and needs of their organization and, once in place, BCRs can be self-managed by the business with minimal ongoing maintenance and regulatory oversight. The consequence of this is that they significantly reduce administrative burden and, for large organizations, even cost as compared with model clauses.
    But their single biggest drawback is the lack of any simple approval or self-certification process.  Adopting BCR, as anyone who’s been through the process knows, is not quick or straightforward.  While the end result is undoubtedly positive, the regulatory approval process typically takes around 18 months from start to finish.  Many organizations, faced with pressing data export needs, simply don’t have the time to hang around and so turn to quicker, off-the-shelf solutions.  
    So what do you do?
    The simple reality right now is that Europe has no good solution for facilitating international data exports, which is in stark contrast to increasingly globalized movements and storage of data.  Yet, be that as it may, data export compliance is an important component of European privacy law, and one that will not get any simpler in the short- to mid-term.
    Businesses are therefore left to consider what will be the most appropriate solution for their needs.  For US businesses, that will still often be Safe Harbor, but on the understanding that this cannot be relied upon as an “exclusive” solution for all their data exports needs and that, in many cases, they still need to be prepared to sign Model Clauses with important customers who insist on them.
    What is the most appropriate data export strategy for an international business then?  Here’s my suggestion:
    1. If you’re a US business, rely on Safe Harbor to the extent you can.
    1. Where you can’t, or if you are sending data to other non-EU countries, use Model Clauses (there’s really very little alternative).
    1. But, to provide a more effective longer term solution, start the process now of preparing for and adopting BCR.  Once implemented, these will ultimately be a far more efficient solution that can replace the awkward pairing of Safe Harbor and Model Clause solutions.
    So while there’s no good solution, with some careful strategizing and forward thinking, you may at least get to a place that is – for want of a better word – adequate.

    Towards more harmonization on the EU model clauses

    Posted on December 8th, 2014 by

    On November 26th, 2014, the Article 29 Working Party (“WP 29”) issued a document setting forth a cooperation procedure regarding the use of the EU model clauses in the context of international data transfers. The aim of this document is to facilitate the use of the EU model clauses across multiple jurisdictions in Europe while ensuring a harmonized and consistent approach to the way these model clauses are approved by the national data protection authorities (“DPAs”).


    General rule

    As a general rule, organizations who use the standard contractual clauses that were adopted by the European Commission to frame their transfers of data outside the EEA cannot change them unless they seek the prior approval of the DPAs of the Member States from where transfers are taking place. Nonetheless, companies may include the standard contractual clauses in a wider contract and add specific clauses such as commercial clauses (as permitted under paragraph VII of the model clauses 2004/915/EC, clause 10 of the model clauses 2010/87/EC and recital 84 of the proposed Data Protection Regulation) as long as they do not contradict, directly or indirectly, the standard contractual clauses or prejudice the rights or freedoms of the data subjects. For example, it is possible to include additional guarantees or procedural safeguards for the individuals (e.g., on-line procedures or relevant provisions contained in a privacy policy).

    Need for authorizations

    In many EU Member States, a national authorization is required for the use of ad hoc contracts (e.g., Austria, Belgium, France, Germany (in some Länder), the Netherlands, Poland or Spain) or for transferring data outside the EEA on the basis of the EU model clauses (e.g., Austria, France or Spain). In practice, there has been a discrepancy between some DPAs who have traditionally been opposed to accepting any form of amendment to the model clauses and those who accept certain changes where they do not contradict the requirements under the model clauses.

    Purpose: Obtaining an ad hoc approval from those DPAs can be challenging, thus making it complicated for international organizations to implement ad hoc model clauses or intra-group data transfer agreements in the different EEA countries where their affiliates are located. As a consequence, this has created a legal risk for organizations because DPAs in different jursidictions might adopt a different position with regard to an organization’s contractual clauses.

    For this reason, the WP29 has created a new cooperation procedure with a view to providing a more harmonized interpretation of the EU model clauses and adopting a common approach when reviewing the contracts used by organizations that are based on the EU model clauses.

    Scope: This new cooperation procedure applies to both sets of model clauses that were adopted by the EU Commission covering controller-to-controller (2004/915/EC) and controller-to-processor (2010/87/EC) data transfers and is meant to be used where:

    • an organization wants to use a single set of contractual clauses that are based on the EU model clauses (but with some divergences such as additional clauses);
    • in different EEA Member States;
    • in order to frame a same type or similar transfers from different EEA Member States; and
    • this organisation wants to obtain a coordinated position of the competent DPAs regarding its proposed contract, and in particular, to verify whether this contract complies with the EU model clauses.

    For example, this would be the case in certain corporate groups, where data systems may be centralized outside the EEA, and subsequently, the same set of contractual clauses are signed by the different EEA subsidiaries (e.g., by means of an intra-group data transfer agreement). The WP 29’s document does not provide any specific examples, but one can expect that the DPAs will review a company’s contractual clauses on the basis of a pre-established list of criteria with a view to approving or rejecting changes that are made to the model clauses. Where such divergences have no impact on whether the contract complies with the EU model clauses, then it is not required to follow this procedure.

    It is not entirely clear whether this procedure can be used for transfers between an EEA processor and a non-EEA sub-processor. Earlier this year, the WP29 issued a draft version of its ad hoc model clauses covering such transfers, but these model clauses have yet to be formally drafted and adopted by the EU Commission, which is not yet the case (see our previous blog article).

    Procedure: The cooperation procedure is largely inspired by, and based on, the actual approval procedure for Binding Corporate Rules (“BCR”). At the beginning of the procedure, the organization must send a copy of its contract clearly highlighting all the divergences and additional clauses to a lead DPA. Once the lead DPA is approved, a formal review of the organization’s contract is carried out by the lead DPA to verify its conformity with the EU model clauses. For example, the lead DPA will verify whether the proposed contract is:

    – based on the EU model clauses;

    – diverts from, or contradicts, the EU model clauses; or

    – prejudices the rights of the individuals.

    Where the data are transferred from more than 10 Member States, two other DPAs will be appointed as co-reviewers. In all other situations, only one reviewer will be appointed in addition to the lead DPA. Once the lead DPA is satisfied that the contract complies with the EU model clauses, it issues an opinion in a draft letter and communicates the draft letter, the proposed contract and its analysis to the co-reviewer(s) who has one month to provide its comments. Following that, the draft letter is then sent to the remaining DPAs (in the countries where data are being transferred) who are part of the mutual recognition (they simply acknowledge receipt of the documentation without reviewing in detail) and to those who are part of the cooperation procedure (they have one month to review and provide their comments).

    Once all the DPAs have reviewed, the lead DPA signs the letter of opinion on behalf of all DPAs concerned and sends the letter to the organization, indicating whether the proposed contract is compliant with the EU model clauses. From that moment on, the procedure is closed and the organization may then obtain the necessary approval or permit in the different Member States for the transfer of data outside the EEA.

    Limitations: A significant difference with the BCR approval procedure is that the purpose of the coordination procedure for model clauses is not for the DPAs to approve an organization’s contract as a whole, but rather to assess whether the proposed contract complies with the requirements under the EU model clauses. In other words, where the proposed contract integrates the EU model clauses within a wider commercial agreement, the lead DPA will review the contractual clauses that relate to data transfers, but will not review or adopt any opinion regarding the broader commercial terms of the agreement.

    This was clearly expressed by the CNIL in a press release issued on 24 April 2014 in which the CNIL stated, when referring to Microsoft’s “ad hoc model clauses”, that the WP 29 had considered that the documents provided by Microsoft complied with the data transfer requirements under the EU model clauses, but had not assessed whether Microsoft’s contractual clauses as a whole complied with EU data protection law, nor that Microsoft complied with those rules in practice. In other words, the WP 29 simply agreed that Microsoft had taken the necessary precautions to frame its international data transfers as required by article 26 of the Data Protection Directive.

    Furthermore, the lead DPA’s  letter of opinion does not exclude that permits or authorizations at a national level may be legally required and companies may also be required to comply with other national requirements, such as notifications or administrative formalities with the DPAs. In particular, where permits or authorizations are legally required, national DPAs may still analyse the annexes and the description of the transfer in order to assess whether these are lawful under applicable national laws. In practise, this could mean that following the issuance of a letter of opinion, the organization in question may still need to put in place specific contractual terms to address the national requirements that apply to their local affiliates (e.g., specific security provisions to comply with laws in Spain or Poland) and in any case, will need to obtain a formal approval for the transfer of data where required. Nonetheless, this cooperation procedure may facilitate the administrative formalities under national law, and in theory, the DPAs in the countries concerned should comply with the opinion given by the lead DPA when issuing their permits or authorizations under national law.

    Advantages: The main advantage of this procedure is that it will provide more clarity and legal certainty for organizations who want to put in place a single set of contractual clauses based on, or incorporating, the EU model clauses and are therefore seeking a common and coordinated position of the DPAs as to whether their contract complies with the EU model clauses. In that sense, the WP 29 has introduced some degree of flexibility by enabling organizations to depart from the EU model clauses and to tailor their contracts to each organization.

    It also provides more clarity and a more harmonized interpretation of the EU model clauses by the DPAs, and in particular, makes it easier for organizations to use ad hoc contracts or intragroup agreements in countries where DPAs have traditionally been reluctant to approving such contracts. Consequently, this should enable organizations to adopt a more harmonized and consistent approach when rolling out their data transfer agreements across Europe.

    Disadvantages: The downside is that in creating a new review process for model clauses, which previously did not exist, the WP 29 could make it more burdensome in some cases to use the EU model clauses. Depending on the time it takes for the lead DPA to issue its letter of opinion, there is a risk that the overall time needed for an organisation to obtain the necessary premit or approval from the various DPAs before implementing its contractual clauses will be stretched.

    This procedure also puts organizations under more scrutiny by the DPAs. Officially, the cooperation procedure for model clauses is not obligatory, but nonetheless organizations will be pressured to follow it if their contracts depart from the EU model clauses. In practice, this means that rolling out ad hoc contracts or intra-group agreements will become less straightforward, and on the contrary, will be more formalized.

    Finally, this procedure does not change the fact that, contrary to BCR, the EU model clauses do not constitute, and do not serve the purpose of, a group’s global policy. And so, organizations will inevitably need to have different sets of clauses to frame their data transfers as controller and processor, whereas BCR can be used as a single set of rules to frame all transfers both as a controller and a processor.



    Event alert: The new mechanism for international data transfers – APEC’s CBPRs demystified

    Posted on October 2nd, 2014 by

    On Friday 3 October, Fieldfisher will host an afternoon event entitled “The new mechanism for international data transfers – APEC’s CBPRs demystified” at our new offices in London.

    The event is designed to demonstrate how Cross Border Privacy Rules (“CBPRs”) and Binding Corporate Rules (“BCRs”) can be utilised to facilitate global data protection compliance. Hazel Grant, Fieldfisher’s new Head of Privacy, will chair the event which will also feature presentations from Anick Fortin-Cousens of IBM and Myriam Gufflet of the French data protection regulator (“CNIL”).

    • Ms Fortin-Cousens, leader of IBM’s Corporate Privacy Office and IBM’s CPO for Canada, Latin America and MEA, will provide a practical insight into CBPR. Earlier this year IBM became the first organisation to obtain Asia-Pacific Economic Cooperation’s (“APEC”) CBPR certification.
    • Ms Gufflet, BCR Division Manager at the CNIL, will tell us about the potential interoperability between BCRs and CBPRs. The CNIL have been closely involved in the work of the joint EU-APEC committee on this topic and was appointed as the Article 29 Working Party’s rapporteur in this matter.

    This event is aimed at legal counsel and privacy/compliance professionals in organizations with a global reach who would be interested in understanding how CBPR certification may improve their organization’s data protection global compliance

    Networking drinks will follow the event and will allow attendees to meet privacy, e-commerce and technology law experts from a number of European countries (Austria, Belgium, Czech Republic, Denmark, Finland, France, Germany Hungary, Italy, the Netherlands, Poland, Portugal, Spain, Sweden, Switzerland and the UK) who form the Ecomlex network (

    A limited number of places remain available for the event. If you would like to attend, please register your interest by clicking on the following link–-apecs-cbprs-demystified#sthash.978Xa0wU.dpbs