Annexes to COM(2015)566 - Transfer of Personal Data from the EU to the USA under Directive 95/46/EC following the Judgment by the Court of Justice in Case C-362/14 (Schrems)

Please note

This page contains a limited version of this dossier in the EU Monitor.

dossier COM(2015)566 - Transfer of Personal Data from the EU to the USA under Directive 95/46/EC following the Judgment by the Court of Justice in ...
document COM(2015)566 EN
date November  6, 2015
Annex; Clause 7 of the Annex to Commission Decision 2010/87/EU.

(13)

     It should be noted that the proposal for the General Data Protection Regulation (COM(2012) 11 final) foresees that transfers based on SCCs or BCRs, to the extent that these have been adopted by the Commission or in accordance with the envisaged consistency mechanism, shall not require any further authorisation.

(14)

     The use of SCCs does not, however, prevent the parties from agreeing to add other clauses, as long as they do not directly or indirectly contradict the clauses approved by the Commission or prejudice fundamental rights or freedoms of the data subjects. See European Commission, "Frequently Asked Questions Relating to Transfers of Personal Data from the EU/EEA to Third Countries" (FAQ B.1.9), p. 28 (available on the internet at: http://ec.europa.eu/justice/policies/privacy/docs/international_transfers_faq/international_transfers_faq.pdf).

(15)

If a DPA has doubts about the compatibility of SCCs with the requirements of the Directive, it should refer the question to a national court which can then make a reference for a preliminary ruling to the Court of Justice (cf. § 51, 52, 64 and 65 of the Schrems ruling ).

(16)

     The Article 29 Working Party has established a specific cooperation procedure between DPAs for the approval of contractual clauses that a company is seeking to use in different Member States. See Article 29 Working Party, "Working Document Setting Forth a Co-Operation Procedure for Issuing Common Opinions on 'Contractual clauses' Considered as compliant with the EC Model Clause" (WP 226), 26 November 2014. See also Clause VII of the Annex to Commission Decision 2004/915/EC, and Clause 10 of the Annex to Commission Decision 2010/87/EU.

(17)

     See Article 29 Working Party, "Working Document Setting Forth a Co-Operation Procedure for Issuing Common Opinions on 'Contractual clauses' Considered as compliant with the EC Model Clause" (WP 226), 26 November 2014, p. 2.

(18)

     See Article 29 Working Party, "Working Document setting up a table with the elements and principles to be found in Binding Corporate Rules" (WP 153), 24 June 2008; "Working Document setting up a framework for the structure of Binding Corporate Rules" (WP 154), 24 June 2008; and "Working Document on Frequently Asked Questions (FAQs) related to Binding Corporate Rules" (WP 155), 24 June 2008.

(19)

     Article 29 Working Party, "Standard Application for Approval of Binding Corporate Rules for the Transfer of Personal Data" (WP 133), 10 January 2007.

(20)

     Article 29 Working Party, "Working Document Setting Forth a Co-Operation Procedure for Issuing Common Opinions on Adequate Safeguards Resulting From 'Binding Corporate Rules'" (WP 107), 14 April 2005.

(21)

     As the Article 29 Working Party has stressed, to the extent that other provisions of Directive 95/46/EC contain additional requirements relevant for the use of these derogations (for example the limitations of Article 8 for the processing of sensitive data), these need to be respected. See Article 29 Working Party, "Working document on a common interpretation of Article 26(1) of Directive 95/46/EC of 24 October 1995" (WP 114), 25 November 2005, p. 8. See also European Commission, "Frequently Asked Questions Relating to Transfers of Personal Data from the EU/EEA to Third Countries" (FAQ D.2), p. 50.

(22)

     This may include, for example, data transfers between tax or customs authorities, or between services competent for social security matters (see recital 58 of Directive 95/46/EC). Transfers between supervisory bodies in the financial services sector may also benefit from the derogation. See Article 29 Working Party, "Working Document: Transfers of personal data to third countries: Applying Articles 25 and 26 of the EU data protection directive" (WP 12), 24 July 1998, p. 25.

(23)

     Article 29 Working Party, "Working document on a common interpretation of Article 26(1) of Directive 95/46/EC of 24 October 1995" (WP 114), 25 November 2005, p. 7, 17.

(24)

     Article 29 Working Party, "Working Document: Transfers of personal data to third countries: Applying Articles 25 and 26 of the EU data protection directive" (WP 12), 24 July 1998; "Working document on a common interpretation of Article 26(1) of Directive 95/46/EC of 24 October 1995" (WP 114), 25 November 2005. See also European Commission, "Frequently Asked Questions Relating to Transfers of Personal Data from the EU/EEA to Third Countries" (FAQ D.1 to D.9), p. 48-54.

(25)

     Article 29 Working Party, "Working document on a common interpretation of Article 26(1) of Directive 95/46/EC of 24 October 1995" (WP 114), 25 November 2005, p. 8-10.

(26)

     Article 29 Working Party, "Working document on a common interpretation of Article 26(1) of Directive 95/46/EC of 24 October 1995" (WP 114), 25 November 2005, p. 9. According to the Working Party, mass or repeated transfers may only be carried out on the basis of a derogation where recourse to SCCs or BCRs is impossible in practice and where the risks to data subjects are small (e.g. international money transfers). See also European Commission, "Frequently Asked Questions Relating to Transfers of Personal Data from the EU/EEA to Third Countries" (FAQ D.1), p. 49.

(27)

     Article 29 Working Party, "Working document on a common interpretation of Article 26(1) of Directive 95/46/EC of 24 October 1995" (WP 114), 25 November 2005, p. 13. See also "Opinion 6/2002 on transmission of passenger manifest information and other data from airlines to the United States" (WP 66), 24 October 2002.

(28)

     Article 29 Working Party, "Working Document: Transfers of personal data to third countries: Applying Articles 25 and 26 of the EU data protection directive" (WP 12), 24 July 1998, p. 24; "Working document on a common interpretation of Article 26(1) of Directive 95/46/EC of 24 October 1995" (WP 114), 25 November 2005, p. 13.

(29)

     Article 29 Working Party, "Working Document: Transfers of personal data to third countries: Applying Articles 25 and 26 of the EU data protection directive" (WP 12), 24 July 1998, p. 24.

(30)

     Article 29 Working Party, "Working document on a common interpretation of Article 26(1) of Directive 95/46/EC of 24 October 1995" (WP 114), 25 November 2005, p. 15. For example, in an employment context the derogation cannot be used to transfer all employee files to the group's parent company established in a third country on the grounds of possible future legal proceedings.

(31)

     Hague Convention on the Taking of Evidence Abroad in Civil and Commercial Matters, opened for signature 18 March 1970, 23 U.S.T. 2555, 847 U.N.T.S. 241. This Convention covers, for example, pre-trial discovery or requests by the judicial authority of one state to the competent authority of another state to obtain evidence intended for use in judicial proceedings in the requesting state.

(32)

     Article 29 Working Party, "Working document on a common interpretation of Article 26(1) of Directive 95/46/EC of 24 October 1995" (WP 114), 25 November 2005, p. 10, with reference to "Opinion 5/2004 on unsolicited direct marketing communications under Article 13 of Directive 2002/58/EC" (WP 90), 27 February 2004, point 3.2.

(33)

     Article 29 Working Party, "Working Document: Transfers of personal data to third countries: Applying Articles 25 and 26 of the EU data protection directive" (WP 12), 24 July 1998, p. 24.

(34)

     Article 29 Working Party, "Opinion 8/2001 on the processing of personal data in the employment context" (WP 48), 13 September 2001, p. 3, 23 and 26. According to the Working Party, reliance on consent should be confined to cases where the worker has a genuine free choice and is subsequently able to withdraw the consent without detriment. See also Article 29 Working Party, "Working document on a common interpretation of Article 26(1) of Directive 95/46/EC of 24 October 1995" (WP 114), 25 November 2005, p. 11.

(35)

     Article 29 Working Party, "Working document on a common interpretation of Article 26(1) of Directive 95/46/EC of 24 October 1995" (WP 114), 25 November 2005, p. 11. See also "Opinion 6/2002 on transmission of passenger manifest information and other data from airlines to the United States" (WP 66), 24 October 2002.

(36)

     Article 29 Working Party, "Working Document: Transfers of personal data to third countries: Applying Articles 25 and 26 of the EU data protection directive" (WP 12), 24 July 1998, p. 24.

(37)

      Article 29 Working Party, "Opinion 15/2011 on the definition of consent" (WP 187), 13 July 2011, p. 9.

(38)

     Article 29 Working Party, "Working document on a common interpretation of Article 26(1) of Directive 95/46/EC of 24 October 1995" (WP 114), 25 November 2005, p. 11.

(39)

     See Statement of the Article 29 Working Party of 16 October 2015 (above footnote 8).

(40)

A number of multinational companies have declared that they base their data transfers to the U.S. on alternative tools. See e.g. the statements by Microsoft (http://blogs.microsoft.com/on-the-issues/2015/10/06/a-message-to-our-customers-about-eu-us-safe-harbor/) or Salesforce (http://www.salesforce.com/company/privacy/data-processing-addendum-faq.jsp). Other U.S. companies such as Oracle have said that they offer cloud customers the ability to store their data in Europe so that it is not sent for storage elsewhere: http://www.irishtimes.com/business/technology/oracle-keeps-european-data-within-its-eu-based-data-centres-1.2408505?mode=print&ot=example.AjaxPageLayout.ot

(41)

     See recital 60 and Article 25(1) of Directive 95/46/EC.

(42)

     See e.g. Clause 5 of the Annex to Commission Decision 2010/87/EU, and Article 29 Working Party, "Working Document setting up a framework for the structure of Binding Corporate Rules" (WP 154), 24 June 2008, p. 8.

(43)

See e.g. guidance issued by the European Network and Information Security Agency (ENISA): https://resilience.enisa.europa.eu/article-13/guideline-for-minimum-security-measures/Article_13a_ENISA_Technical_Guideline_On_Security_Measures_v2_0.pdf.

(44)

     See e.g. the position paper issued by the Data Protection Conference of the German Data Protection Authorities at Federal and State Level on 26.10.2015:https://www.datenschutz.hessen.de/ft-europa.htm#entry4521. Stressing that the Schrems ruling contains "strict substantive requirements" that both the Commission and the DPAs have to respect, the position paper indicates that the German DPAs will assess the lawfulness of data transfers based on alternative tools (SCCs, BCRs) and will no longer grant new authorisations for the use of these tools. In parallel, individual German DPAs have issued clear warnings that the alternative transfer tools are under legal scrutiny. See e.g. the position papers issued by the DPAs of Schleswig-Holstein:https://www.datenschutzzentrum.de/artikel/981-ULD-Position-Paper-on-the-Judgment-of-the-Court-of-Justice-of-the-European-Union-of-6-October-2015,-C-36214.html and of Rheinland-Pfalz: https://www.datenschutz.rlp.de/de/aktuell/2015/images/20151026_Folgerungen_des_LfDI_RLP_zum_EuGH-Urteil_Safe_Harbor.pdf.

(45)

     See Statement of the Article 29 Working Party of 16 October 2015 (above footnote 8).

(46)

     European Commission, Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation). See also European Parliament, Legislative Resolution of 12 March 2014 on the proposal for a regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), COM(2012)0011 – C7-0025/2012 – 2012/0011(COD); Council, Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), Preparation of a General Approach, 9565/15. The proposal is currently in the final stage of the legislative process.

(47)

     See recital 57 of Directive 95/46/EC.

(48)

     Currently, adequacy decisions have been adopted with regard to the following countries: Andorra, Argentina, Canada, Faroe Islands, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay. See: http://ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.htm.

(49)

     See paragraphs 99-104 of the Schrems ruling.

(50)

     See above footnote 4.