Safe Harbor | Answers and questions

1. WHAT IS SAFE HARBOR?

Safe Harbor on data protection, regards an auto certification procedure and cooperation between the US Department of Commerce and the EU Commission, recognised through an EU Decision. Through it, entities established in the US assumed a compromise with European data protection rules, accordingly with EU legislation, serving as legal basis for entities that operate in both jurisdictions and that process personal data from its clients and/or users.

2. WHAT HAPPENED?

Following a preliminary ruling from the European Court of Justice (ECJ), regarding a procedure opposing Maximillian Schrems vs Irish Data Protection Commissioner, the Court ruled on the Safe Harbor invalidity regarding data transfers operations between the EU and the US.

3. HOW IS THIS APPLIABLE TO OUR BUSSINESS?

Eventually, many companies are involved in data transfer operations, even without realizing it, because they hire services from companies based in the US, or because they use cloud services with servers based in the US, or because they belong to groups of companies and exchange information between the various branches, etc.

4. BUT WHY IS SAFE HARBOR INVALID?

According to the ECJ ruling, Safe Harbor is invalid because:

a) The US have no general law on data protection, or other measures of the same nature which indicates that the US can provide an adequate level of protection, similar to the European;

b) Law enforcement authorities in US law are not subject to Safe Harbor, and they can access the data without any legal basis and without offering guarantees to European citizens; and,

c) Personal data would be subject to inadequate and excessive processing by those authorities.

5. AND NOW?

In the Working Party meeting, that joins the Data protections Authorities (DPA) from the 28 Member States, it was decided to set up a grace period until the end of January 2016 to allow businesses to find solutions and adapt to the situation.

6. AND WHAT IS THE SITUATION IN PORTUGAL?

In Portugal, the DPA (CNPD) has decided that:

a) Data controllers in Portugal must suspend immediately all data transfers to the US;

b) The DPA will only issue provisional authorizations regarding data transfers for the US, subject to review in the near future;

c) Previously authorised data transfers to the US, since 2000, covered by the EU Comission, will be formally reviewed.

7. WILL SANCTIONS BE APPLIED?

According to the position of the majority of EU DPA, it is unlikely to be an immediate implementation during the grace period (late January 2016). However, it is expected that at the end of this period the DPA begin implementing the decision, in particular through coordinated actions at EU level.

8. WHAT MUST BE DONE IMMEDIATELY?

a) Identify data transfers (which will need to also take into account the categories of data) taking place internally, whether intra-group or with external service providers;

b) This identification must be done through an audit;

c) Determine which transfers are fundamental to the internal operations and/or services;

d) Identify the most appropriate mechanisms available to rectify the situation by the CNPD.

9. WHICH MECHANISMS ARE AVAILABLE?

a) EU MODEL CLAUSES: agreements between the European data exporter and the data importer in the United States, approved by the European Commission. They may provide a good alternative, particularly in intra-group relations;

b) INTRAGROUP AGREEMENTS (IGA): Multilateral agreements between entities of the same group, and not self biding unilateral declarations by entities;

c) DEROGATIONS: Alternatively, some entities can bet on the derogations established in the legislation, which should be analyzed on a case-by-case basis.

10. WE HAVE OPERATIONS IN THE US AND WE ARE IN SAFE HARBOR. SHOULD WE UPDATE OUR DATA PROTECTION POLICIES AND INTERNAL PROCEDURES?

a) If the legal basis for the data transfers is Safe Harbor, alternative mechanisms should be analysed and you must proceed with the updates accordingly;

b) Following, you must rectify the situation by the CNPD.

11. WE HAVE AGREEMENTS WITH SERVICE PROVIDERS ESTABLISHED IN THE US AND WITHIN SAFE HARBOR. WHAT SHOULD WE DO?

a) In a first moment, it is necessary to review all existing contracts that have references to Safe Harbor;

b) Then, enquiry those entities if they are already offering any alternatives, namely, through proper and adequate agreements, or, through EU Model Clauses;

c) Finally, with that information, proceed with the rectification of the situation with the service provider and by the CNPD.

12. DO SIGNED EU MODEL CLAUSES WITH REFERENCES TO SAFE HARBOR REMAIN VALID?

They remain valid since the legal basis for the data transfers are the EU Model Clauses.

13. IS THERE ANY RISK OF DATA TRANSFER AGREEMENTS BASED ON EU MODEL CLAUSES TO BE AFFECTED BY THE ECJ RULLING?

There is that risk since the grounds for the invalidity ruling was the lack of adequate protection regarding the protection of both data and data subjects, and that grounds can be applied to the EU Model Clauses.

14. ARE IGAs A VIABLE ALTERNATIVE?

a) CNPD considers as appropriate contractual clauses, those multilateral agreements between entities of the same group, provided that they are identical and are in accordance with the standard Model Clauses approved by the European Commission;

b) IGAs must be notified to the CNPD by the data controller, stating that the IGA is identical and complies with the Model Clauses approved by the European Commission, and are in accordance with the conditions set out in Resolution No. 1770/2015..

15. IF AN ENTITY USES THE EU MODEL CLAUSES, DOES THE ENTITY MUST PERFORM A SEPARATE AGREEMENT WITH EACH CLIENT?

Yes, service providers will have to celebrate individual agreements with each of its European clients.

16. HOW DEROGATIONS WORK?

Derogations established in the legislation must be analysed on a case-by-case basis, but they will need to have one (or more) of the following grounds to be accepted:

a) The transfer is made with the data subject’s unambiguous consent;

b) Is necessary for the performance of a contract with, or in the interests of, the data subject;

c) Is necessary or legally required to safeguard public interest, or, is necessary to protect the vital interests of the data subject;

d) Is made from a public register, accordingly with the law or regulations.