According to the Austrian Data Protection Act (Datenschutzgesetz, “DSG”), the transfer of personal data within the EU is unrestricted. However, and save for some exceptions, the transfer of personal data to non-EU Member States generally is subject to the Austrian Data Protection Authority’s (“ADPA”) prior approval. The ADPA only grants such approval if destination’s jurisdiction secures the fundamental right to data privacy in compliance with EU standards. One of the most important exceptions was based on the European Commission’s so-called “Safe Harbour Decision”. This decision held that US companies meet the European privacy standards if they self-certify as “Safe Harbour” with the US Federal Trade Commission.
“Safe Harbour” Invalidated – Threatening Administrative Penalties
On October 6, 2015, the European Court of Justice (“ECJ”) invalidated the European Commission’s “Safe Harbour Decision” (see ECJ, C-362/14 – Max Schrems vs Data Protection Commissioner & Digital Rights Ireland Ltd; link to the full text decision on the bottom).
The consequences for businesses in Austria arising from this ECJ decision are substantial: for example and most importantly, transfers of personal data from Austrian affiliates and subsidiaries to their US headquarters are now being deprived of the legal foundation of “Safe Harbour”. Hence, such data transfers are now – if there is no other ground of justification – considered illegal. The same applies to services provided from within the US, which require the transfer of personal data (such as cloud services), since they equally generally have relied on the “Safe Harbour Principle” so far.
Now all “Safe Harbours” in the US are gone. As of October 6, 2015, personal data transfer to the US thus is generally subject to the ADPA’s prior approval. Transferring data to the US without the required approval contravenes the DSG and thus entails substantial compliance issues. Although the current situation does not (directly) affect any US entities or US service providers, their Austrian affiliates and subsidiaries as well as any Austrian customers using US service providers are now right in the crosshairs. Administrative penalties up to EUR 10,000.00 per violation are now threatened.
No “Hot Fix” and no true Workaround
As there is no immediate “hot fix” for the no longer existing “Safe Harbour” for sustaining any exports of personal data to the US, all corresponding data applications and data exports must be stayed immediately.
Without the “Safe Harbour” exception, other legitimizations for international data transfers to the US have urgently to be put in place. Currently, (i) contractual guarantees given by US companies for ensuring the EU privacy standards or (ii) obtaining the explicit and informed consent of all data subjects concerned by the data export are debated.
With a view to the second alternative, it is worthwhile to note that even if the Austrian data exporter may obtain the required consent, this is quite a shaky workaround as this consent must be revocable with immediate effect at any time under the DSG. If the concerned data subject revokes his/her consent, his/her data may no longer be transferred to the US. Naturally, any such revocation would consequently jeopardize the corresponding data transfer(s) as, for example, transfers of employee data would then have to be incomplete.
Therefore, the first alternative generally seems to provide more legal certainty and comfort for data exporters: for example, any US entity importing personal data from Austria may give such contractual guarantees either through so-called “Standard Contractual Clauses” or even through the entire group covering “Binding Corporate Rules”. However, even if such guarantees were given, which in our experience can already take some time, the ADPA’s review and approval would additionally be required. Only after such review and approval proceeding has been successfully completed, personal data may again be transferred from Austria to the US. This, however, may take quite some time as such proceedings generally are not the quickest.
Other “work-arounds” would be that (i) no export of personal data and no access to personal data takes place from the US, so that any related data applications are solely provided within the EU, or (ii) only to transfer “(quasi-) anonymous”, namely merely “indirect personal data”, to the US. Naturally, neither of these alternatives seems satisfactory.
Link to the full text of ECJ, C-362/14 – Max Schrems vs Data Protection Commissioner & Digital Rights Ireland Ltd: http://goo.gl/Inbk8e.