“The Tricky Transfer of Personal Data in 2016”
By Ms Céline Bondard, Esq.
Admitted in Paris and New York
www.bondard.fr
- The invalidation of the US-EU Safe Harbor Mechanism
Ever since the Safe Harbor mechanism was implemented in 2000, companies incorporated in the United States (U.S.) could join the Safe Harbor mechanism in order to receive personal data from the European Union.
However, on October the 6th 2015, the European Court of Justice (the C-362/14 decision)* invalidated the U.S. Safe Harbor mechanism allowing such data transfers., declaring that the principles established by the Safe Harbor mechanism didn’t necessarily mean that companies did conform to the local laws in place in European Union member states.
Since last October, the French Data Protection Authority (Commission Nationale de l’Informatique et des Libertés, i.e., the CNIL) and its counterparts are carefully looking into legal and operational consequences from the Safe Harbor invalidation.
Indeed, we must now resort to another way of transferring personal data (BCR, standard contractual clauses, etc.) or cease transfers towards the United States.
In the meantime, European data protection authorities decided to allow these transfers until the end of January 2016**
Without any new agreement between European institutions, European Union member states and the United States, European data protection authorities will consider the possibility of using their powers to suspend or forbid personal data transfers to the United States.
- Transitional solutions
In order to keep transferring personal data to the United States, the following may be implemented:
- Use the French Data Protection Authority’s simplified forms n°46 and n°48 that allow data transfers***. Standard n° 46 relates to human resources management, and standard n° 48 relates to customers and prospective customers management. If conditions of these forms are satisfied, personal data processing will benefit from the simplified compliance declaration procedure.
- Resort to a specific authorization request of transfer, in application of the Binding Corporate Rules (BCR)****. However, the BCR only applies to international transfers of personal data within the same corporate group to entities located in various countries, which do not provide an adequate level of protection.
- Resort to standard contractual clauses adopted by the Commission*****. Those standards are made to govern the transfers of personal data outside the European Union. Unlike the BCR, the standard contractual clauses don’t apply only within a corporate group, but for every single data transfer.
A European Regulation shall shortly replace the actual rules and will apply to every personal data transfers from the European Union******. This Regulation, now in the draft stages, shall hopefully settle these ongoing concerns.
NOTE: If you are already transferring personal data according to the Safe Harbor mechanism, do not forget to fulfill a request of modification of the first declaration in order to notify either the end of these transfers, and/or resort to the above-mentioned tools.
If you wish to get in touch with Cabinet Bondard, do not hesitate to contact us:
Bondard and Partners
15 rue Margueritte – 75017 Paris
www.bondard.fr
* http://www.cnil.fr/linstitution/actualite/article/article/invalidation-du-safe-harbor-par-la-cour-de-justice-de-lunion-europeenne-une-decision-cl/
** http://www.cnil.fr/vos-obligations/transfert-de-donnees-hors-ue/safe-harbor-faq/
*** http://www.cnil.fr/vos-obligations/transfert-de-donnees-hors-ue/safe-harbor-faq/
**** Ibid.
***** Ibid.
****** http://ec.europa.eu/justice/data-protection/international-transfers/index_en.htm