Today, one month after the European Court of Justice decision that invalidated the Safe Harbor framework, the European Commission (the “Commission”) issued a Communication setting forth its position on alternative tools for the lawful transfer of personal data from the EU to the United States.  The Commission also stated its objective to conclude negotiations with the U.S. government regarding the so-called Safe Harbor 2.0 within three months.  This timeline dovetails with the Article 29 Working Party’s grace period, which continues until the end of January 2016.

The Commission stated that, for now, companies can use the following transfer tools:

  • Standard Contractual Clauses (or Model Contract) and other contractual solutions that “satisfactorily compensate for the absence of a general level of adequate protection, by including the essential elements of protection which are missing in any given particular situation.”
  • Binding Corporate Rules, which, upon authorization by the data protection authority in each Member State from which the company wishes to export data, allow personal data to move freely among the different branches of a global company.
  • Applicable alternative derogations set forth in Article 26(1) of Directive 95/46/EC, including certain circumstances where the transfer is necessary:
    • For the performance of a contract or the implementation of pre-contractual measures taken in response to the data subject’s request (such as when the data subject wishes to book a flight or hotel room in the U.S.);
    • For the conclusion or performance of a contract concluded in the interest of the data subject between the data controller or a third party (such as when a data subject is the beneficiary of an international bank transfer); or
    • For the establishment, exercise, or defense of legal claims.
  • If there is no other ground, the free, informed, and unambiguous consent of the individual, which may be revoked by the individual.

The Commission reiterated the Article 29 Working Party’s recommendation that the specific legal framework of the Standard Contractual Clauses or Binding Corporate Rules is preferable to the alternatives for repetitive, mass, or structural data transfers.

The Commission also promised to “work closely with the independent data protection authorities to ensure a uniform application of the ruling.”  This task may prove difficult, in light of the differences in contemplated implementation and enforcement among data protection authorities.  The Spanish data protection authority, for example, is requiring companies that previously gave notice of cross-border data transfers to Safe Harbor-certified companies to inform it by January 29, 2016 of the replacement mechanisms implemented to achieve adequate protection.  This move by the Spanish data protection authority implicitly suggests that Safe Harbor alternatives remain valid in Spain for the time being.  Conversely, as we previously discussed here and here, German data protection authorities have cast doubt on the continued validity of many alternatives endorsed by the Commission and the Article 29 Working Party.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Laura E. Goldsmith Laura E. Goldsmith

Laura Goldsmith is a partner in the Technology, Media and Telecommunications Group and member of the Privacy & Cybersecurity Group and Life Sciences Group. Her practice focuses on matters in technology, intellectual property, privacy and data protection across a range of industries including…

Laura Goldsmith is a partner in the Technology, Media and Telecommunications Group and member of the Privacy & Cybersecurity Group and Life Sciences Group. Her practice focuses on matters in technology, intellectual property, privacy and data protection across a range of industries including life sciences, media, entertainment, sports, sports betting, software, professional and financial services, healthcare, retail, fashion and communications.

Laura structures and negotiates complex technology transactions, such as license agreements, joint development agreements, supply, manufacturing or other services agreements, and software-as-a-service agreements.  In particular, she regularly represents life science companies in licensing deals, co-commercialization arrangements, research collaborations, strategic acquisitions, and other transactions.

Laura also counsels clients in navigating compliance with international, federal and state laws related to privacy and data protection in the context of transactions, vendor relationships, internal compliance and external-facing policies.  She is an editor of and contributor to Proskauer’s Privacy Law Blog and contributor to the State Privacy Laws and Financial Privacy chapters of the Proskauer on Privacy treatise published by PLI.

Laura is a member of the Proskauer Women’s Alliance Steering Committee and previously served as its co-chair.

Prior to her legal career, Laura worked as a consultant to global pharmaceutical companies formulating drug development strategy and clinical trial design. She also conducted scientific research in pharmacology and biology at Duke University Medical Center and her research has been published in peer-reviewed journals.

While at Boston University School of Law, Laura served as the Editor-in-Chief for the Review of Banking & Financial Law and interned for Judge Kiyo A. Matsumoto of the U.S. District Court for the Eastern District of New York.