This document summarizes a webinar discussing guidance on transatlantic data transfers after the Schrems ruling. The webinar covered the background of the Schrems case and ruling, statements from the Article 29 Working Party and various data protection authorities, developments regarding Safe Harbor 2.0, and recommendations for businesses to audit their data transfer practices and implement alternative transfer mechanisms like standard contractual clauses.

1. Safe Harbor Developments Webinar
…what now?
3 November 2015
Paula Barrett Global Head of Data Privacy, London
Dr. Alex Niethammer Partner, Munich
Marie McGinley Partner, Dublin
Monika McQuillen Partner, Switzerland

2. Eversheds LLP | 06/11/2015 |
1. Background to Schrems case
2. CJEU Ruling
3. The Article 29 Working Party Statement
4. What Data Protection Authorities (DPAs) are saying
5. Safe Harbor 2.0
6. What businesses should be doing
What will we cover…
Agenda
Guidance on transatlantic data transfers post-Schrems

3. Background
The Schrems case and CJEU ruling

4. Eversheds LLP | 06/11/2015 |
−EU Privacy Directive (95/46)
• transfers of personal data to a third country where it ‘ensures an
adequate level of protection’
• the Commission may find that a third country ‘ensures an
adequate level of protection …. [for] private lives and basic
freedoms and rights of individuals’
−Safe Harbor Decision (2000/520)
• Commission documented the Safe Harbor principles and
established that transatlantic transfers under them do provide an
adequate level of protection
Legislative background
The Schrems case
Background
Guidance on transatlantic data transfers post-Schrems

5. Eversheds LLP | 06/11/2015 |
−PRISM scandal
• US authorities’ (lawful) large-scale monitoring/collection of EU
citizens’ personal data transferred to US
• US entities bound to comply with authorities’ requests in public
interest and law enforcement interests
−Schrems
• Maximillian Schrems complained to Irish DPA about transfers of
his personal data by Facebook’s Irish subsidiary to its parent’s US
servers – not ‘adequate’ protection
• Irish DPA rejected complaint on basis of Safe Harbor Decision
• Schrems challenged this in the Irish High Court – referred to
CJEU
Factual background
The Schrems case
Background
Guidance on transatlantic data transfers post-Schrems

6. Eversheds LLP | 06/11/2015 |
−Safe Harbor Decision is invalid
• it did not take into account overriding US legislation enabling
lawful large-scale monitoring/collection of personal data
• no remedies/recourse for EU citizens against US authorities
−DPAs can and should be free to investigate adequacy
rulings of third countries
• power to do so is not fettered by Commission decisions, such as
the Safe Harbor Decision
CJEU ruling (6 October 2015)
The CJEU ruling
Background
Guidance on transatlantic data transfers post-Schrems

7. Article 29 Working Party “statement”
16 October 2015

8. Eversheds LLP | 06/11/2015 |
− Reliance on Safe Harbor is unlawful
− Model clauses and BCRs can be relied upon… for now
• A29 WP going to review over next couple of months
− Mass surveillance by US authorities is a breach of
fundamental rights regardless
• Will not be solved by amending the transfer mechanisms
− EU/US authorities have until the end of Jan 2016 to find a
solution
• e.g. intergovernmental agreements, Safe Habor 2.0
− After that, and dependent on A29 WP’s analysis of transfer
mechanisms, regulators will be encouraged to take
enforcement action (including coordinated enforcement)
Summary
Article 29 Working Party “statement”
Guidance on transatlantic data transfers post-Schrems

9. Eversheds LLP | 06/11/2015 |
− Statement was very short (lacking detail)
− Can DPAs investigate complaints re Model Clauses / BCRs?
− What if they are found inadequate before end of January?
− What happens if the Working party finds Model Clauses and
BCRs are unlawful AND there is no Safe Harbor 2.0?
• WOULD ALL TRANSFERRING ENTITIES BE SUBJECT TO
ENFORCEMENT?
• IS THAT REALISTIC?
Summary cont.
Article 29 Working Party “statement”
Guidance on transatlantic data transfers post-Schrems

10. What are the DPAs saying?
Germany, Ireland, Switzerland and UK

11. Eversheds LLP | 06/11/2015 |
− Taken similar approach to the Working Party
− Questions BCRs and Model Clauses
− does not to make a general statement that BCRs and Model
Clauses are no longer “valid”
• (some local German DPAs had previously suggested this)
− does clearly state that the German DPAs will not approve any
new BCRs or Data Transfer Agreements to US
− Impact is unclear; Challenge in Germany: works councils
− DPAs to audit Safe Harbor companies
(Caspar, DPA Hamburg; responsible for Facebook and Google)
October 26 Position Paper
Germany
What are the DPAs saying?
Guidance on transatlantic data transfers post-Schrems

12. Eversheds LLP | 06/11/2015 |
− Mr. Justice Gerard Hogan held that the Irish DPA had an
independent duty to investigate
−Original decision of the Irish DPA not to investigate was quashed
on consent
−Irish Commissioner, Ms. Helen Dixon, released a statement
welcoming the ruling and stated that the Irish DPA would
investigate the complaint with all due diligence
−Unclear as to how long the investigation by the Irish DPA will
take
−Companies should follow approach provided by the Article 29
Working Party in the interim
October 20 High Court Decision
Ireland
What are the DPAs saying?
Guidance on transatlantic data transfers post-Schrems

13. Eversheds LLP | 06/11/2015 |
− 7 October 2015 Swiss Safe Harbor remains in place but with a
severe health warning
− 22 October 2015 Swiss Safe Harbor privacy framework is no longer
sufficient
−Contractual or other safeguards (e.g. BIC) necessary.
−Recommendation of increased transparency
• Analogy to procedures concerning transmission of personal data of bank
employees;
• To inform data subjects comprehensively about transmissions of personal data
to the U.S.;
• To assist data subjects in the protection of their rights in proceedings before
foreign authorities;
• To take necessary compliance steps until end of January 2016.
Statements of Swiss FDPIC
Switzerland
What are the DPAs saying?
Guidance on transatlantic data transfers post-Schrems

14. Eversheds LLP | 06/11/2015 |
− “Don’t Panic”
− “don’t rush to other transfer mechanisms that may turn out to
be less than ideal… especially with the possibility that a new,
improved and perhaps rebranded Safe Harbor will emerge.”
− Suggested that the Ruling did not make reliance on Safe Harbor
(in its current state) automatically unlawful in the UK –
“…businesses in the UK don’t have to rely on Commission
decisions on adequacy… UK law allows you to rely on you own
adequacy assessment.”
− “We’re certainly not rushing to use our enforcement powers”
−Model Clauses / BCRs still stand but Ruling has “cast doubt” on
the adequacy decision relating to them
UK
What are the DPAs saying?
Guidance on transatlantic data transfers post-Schrems
Information Commissioner’s Office (27 October
2015)

15. Safe Harbor 2.0
When, Where, What, How?

16. Eversheds LLP | 06/11/2015 |
− New trans-Atlantic data transfer pact being negotiated
− Agreement reached in principle that Safe Habor 2.0 should
comply with CJEU Ruling:
“There is agreement on these matters in principle, but we
are still discussing how to ensure that these commitments
are binding enough to fully meet the requirements of the
[CJEU]” - Justice Commissioner Vera Jourova
− To include the requirement for increased oversight by the US
Department of Commerce
− Potentially – significant movement by mid-late November
• (when the Justice Commissioner is to visit Washington)
October 26 Announcement
When, Where, What, How?
Safe Harbor 2.0
Guidance on transatlantic data transfers post-Schrems

17. What should businesses do?
One step at a time

18. Eversheds LLP | 06/11/2015 |
− Consider risk exposure
− Consider timing – might have until end of January but
could take much longer to implement alternatives
− Suggest implementing ‘Plan B’ now
− What about reliance on Consent?
• Consent would have to be very specific, informed and freely
given
• Not so easy to achieve as it might appear on first reading.
Key points
One step at a time
What should businesses do now?
Guidance on transatlantic data transfers post-Schrems

19. Eversheds LLP | 06/11/2015 |
1. What personal data flows does your company have to the US?
2. Which is the largest in terms of volume of data transferred? Start with these.
3. Which involve sensitive details e.g. on health? These are high risk, so consider these too in
priority.
4. Which of these data flows were made in reliance on Safe Harbor?
5. Who were the transfers of data to? Consider internal group transfers and those to third
parties such as vendors.
6. Do these Safe Harbor based arrangements have contracts which already include completed
Model Clauses?
7. If not, do these contracts give you the right to insist on Model Clauses if Safe Harbor fails?
8. Are discussions in place with the other party for Model Clauses, where not already in
place?
9. Have you dealt with local data exporter transfer filings / approval requirements and
allowed time for their completion before January 2016?
10. For future contracts and data flows, are your internal contracts and/or procurement team
up to date on the changes, ensuring no future reliance only on the current Safe Harbor
framework?
Steps to Take
One step at a time
What should businesses do now?
Guidance on transatlantic data transfers post-Schrems

20. Questions?

21. Eversheds LLP | 06/11/2015 |
Contact details
Guidance on transatlantic data transfers post-Schrems
Country Contact E-mail Phone
UK Paula Barrett paulabarrett@eversheds.com +44 20 7919 4634
Germany Dr. Alex Niethammer alexander.niethammer@eversheds.de +49 895 456 5318
Ireland Marie McGinley mariemcginley@eversheds.ie +353 1 6441 457
Switzerland Monika McQuillen monika.mcquillen@eversheds.ch +41 44 204 90 97

22. eversheds.com
©2015 Eversheds LLP
Eversheds LLP is a limited liability partnership