The international transfer of personal data without the Safe Harbor agreement
On 6 October 2015, the Court of Justice of the European Union (CJEU) declared the Safe Harbor agreement, establishing the appropriate level of protection for the international transfer of data to the US, invalid.
It agreement concerns international data transmissions between Spain and a territory outside the European Economic Area (EEA).
Under current legislation in Spain (the LOPD), when using a cloud computing service in which personal data is stored, the provider of such service is considered responsible for its handling. If the service is not located in the EEA, then its usage constitutes an international data transfer. This happens for example when we use Google servers to manage a natural person’s emails, when we store personal data files in Dropbox, or when we send email campaigns using Mailchimp.
Any company that carries out international data transfers shall notify the Spanish Data Protection Agency (AEPD) and if the data importer (the service used to manage personal data) does not provide an adequate level of protection, then the company needs to obtain authorization from the Board of the AEPD.
Statement of the Spanish Data Protection Agency (AEPD)
In the face of the concern generated by the published article titled The Ultimatum of the AEPD to Spanish companies: forbidden to use Dropbox or Google Apps, the Spanish Data Protection Agency (AEPD) points out that:
- The AEPD has not given any ultimatum to Spanish companies.
- On 29 October, the Agency publicly announced that in the framework of a joint action of European authorities on data protection, it is going to establish contact with all the companies with a record of carrying out international transfers under the Safe Harbor agreement.
- The Agency has in no case required those responsible to stop using certain cloud storage services and the Agency’s actions are not aimed at prohibiting the use of any particular tools, but to inform those responsible that, if necessary, they should demand an appropriate response to the ECJ ruling from their service provider.
- The ECJ ruling is aimed at responsible entities, not citizens who carry out domestic use of personal data that may be stored in the cloud.
- In the case of Spain, the European authorities for data protection require those responsible to inform the General Register of Data Protection of the AEPD before the end of January on the continuity of transfers and their compliance with data protection regulations. The Agency has never announced its intention to by default initiate disciplinary procedures against companies.
- The Agency, together with European data protection authorities, back finding sustainable solutions to implement the ECJ ruling and a way to enable compliance with the Court’s ruling.
The European Commission has stated that it believes to reach an agreement with the United States in what has been called the Safe Harbor 2.0 agreement.
What can Spanish companies do?
Pending an agreement, a company should remember the assumptions legitimizing international data transfer covered by the current data protection regulations:
- When a company qualifies for one of the exceptions of Articles 34 of Organic Law 15/1999 on the Protection of Personal Data (LOPD) and 66.2 of Royal Decree 1720/2007
- When a company has authorization from the Director of the AEPD
- When a company applies contractual clauses as previously approved by the European Commission for providing sufficient guarantees
- When a company has express consent of each of the data holders.
This article is not considered as legal advice