A number of jurisdictions around the world follow the lead from Europe in relation to data protection and impose similar restrictions on the export of personal data unless there is an “adequate level” of protection offered in the recipient jurisdiction. The EU Commission’s “US Safe Harbor” decision had permitted the transfer of personal data between Europe and the US by establishing that an adequate level of data protection was ensured by the EU-US Safe Harbor scheme.
With the European Court of Justice ruling in Case C-362/14 (the Schrems case) that the EU-US Safe Harbor scheme is now invalid, we have looked at various regime outside Europe and the US to see how this judgment has affected data protection practice in those jurisdiction.
In jurisdictions that have adopted data protection laws modeled on the EU Data Protection Directive 95/46/EC, it is apparent that the Schrems decision has created considerable uncertainty and led to some international data protection authorities removing the Safe Harbor arrangements as a means for lawful data transfers to the US. The impact has been less significant in jurisdictions that follow different models to protect individuals whose data are transferred to the US.
Abu Dhabi Global Market (ADGM)
ADGM has only recently opened for business in Abu Dhabi as a broad-based international financial centre for local, regional and international institutions. The ADGM Data Protection Regulations 2015 were enacted two days prior to the judgment in the Schrems case and came into force upon their publication on 20 October 2015.
The Regulations state that transfers of personal data to recipients located outside ADGM may only take place if an adequate level of protection for such data is ensured by laws applicable to the recipient. For these purposes, the ADGM Registrar has designated a list of jurisdictions in Schedule 3 to the Regulations that it deems to provide an adequate level of protection for personal data. This list includes “United States of America, subject to compliance with the terms of the applicable US-EU or US-Switzerland Safe Harbours”.
Given the very recent establishment of this centre and its regulatory framework, it remains to be seen whether the EU’s changed position will cause ADGM to re-evaluate its list of jurisdictions offering an adequate level of protection or if data controllers will be permitted to make their own assessments for these purposes. Section 4(2) of the Regulations provides a non-exhaustive list of circumstances surrounding a data transfer that should be considered when assessing the adequacy of the level of protection, including the nature of the personal data, the purpose and duration of the proposed processing, the country of origin and final destination, and any relevant laws to which the recipient is subject. This appears to offer scope for self-assessment by data controllers. It may be prudent for ADGM companies to make these assessments before relying solely on the EU-US Safe Harbor adequacy determination in Schedule 3 until the Registrar has issued further guidance.
In the absence of an adequate level of protection being ensured by relevant laws, the Regulations also contain a range of alternative means of facilitating data exports through compliance with one of the conditions listed in Article 5. These conditions include transfers made pursuant to the standard form ADGM data transfer agreements annexed to the Regulations or transfers between one or more members of a group of companies in accordance with a suitable global data protection compliance policy (similar to the European options for data export pursuant to model clauses or binding corporate rules). As noted in our blog post on the consequences of Schrems in Europe, these solutions may provide the most obvious alternative for businesses moving away from reliance on Safe Harbor.
Australia is seeing few material effects arising from the Schrems case.
The Australian Privacy Commissioner has so far declined to nominate any country or region as a safe harbor for the purposes of Australia’s Privacy Act. The relevant part of the Privacy Act is Australian Privacy Principle (APP) 8.2(a) which provides that an obligation to ensure that the overseas recipient complies with the Principles does not apply to the disclosure of personal information about an individual by an APP entity to the overseas recipient if the entity reasonably believes that:
(a) the recipient of the information is subject to a law, or binding scheme, that has the effect of protecting the information in a way that, overall, is at least substantially similar to the way in which the Australian Privacy Principles protect the information; and
(b) there are mechanisms that the individual can access to take action to enforce that protection of the law or binding scheme.
In addition to there being some doubt about the first limb in many cases, the second limb of the requirement appears to raise one of the issues identified in the Schrems ruling: namely a lack of mechanisms under which an Australian citizen could enforce privacy protection in the recipient’s country.
For that reason, most Australian organisations do not typically rely on any type of safe harbour arrangement but instead disclose personal information to overseas recipients in accordance with the requirement in APP 8.1. In practice, this requires the discloser to have detailed privacy provisions in its agreement with the recipient.
The Schrems case has had little impact in Canada to date.
Canada’s federal privacy legislation has been declared adequate by the EU Commission and the law allows any person full rights to litigate breaches in Canada. In terms of exports, applicable federal and provincial legislation regulates, but does not prohibit, the transfer of personal information out of the country. The regulatory framework requires that organisations put in place contractual measures to ensure an adequate level of confidentiality and security for personal information exported from the jurisdiction, although no approval of these measures is required by the authorities.
The Privacy Commissioner of Canada has ruled that cross-border transfers do not require additional consent from individuals provided that the organisation is transparent and gives notice of the fact that: (i) such transfers occur; and (ii) once in the foreign jurisdiction, the information is subject to the laws in that jurisdiction which may not provide the same level of protection as under Canadian law.
Dubai International Financial Centre (DIFC)
The DIFC is a financial services free zone in the United Arab Emirates with more than 1,000 active registered companies. The DIFC Data Protection Law (DIFC Law No.1 of 2007, as amended) is modelled closely on European law and similarly permits the export of personal data only to jurisdictions that provide an adequate level of protection for that personal data. The DIFC Data Protection Regulations list the EU-US Safe Harbor scheme as a regime providing an adequate level of data protection for the export of data from the DIFC.
The DIFC Commissioner for Data Protection has issued guidance to DIFC entities on the export of personal data outside the DIFC in light of the Schrems case. The guidance contains a recommendation that data controllers seeking to export personal data from DIFC to the US should rely on the alternative data transfer mechanisms provided for in the DIFC Data Protection Law. These mechanisms include similar derogations to those found in European law, including where the data subject has provided written consent to the transfer, where the transfer is necessary for the performance of certain contracts or where the transfer is necessary for compliance with legal obligations.
While there is no formal recognition of DIFC-approved model clauses in the Law or Regulations, the DIFC Commissioner’s general guidance on the DIFC Data Protection Law states that the use of “appropriate contractual clauses” may be considered adequate safeguards for the Commissioner to grant a permit for the transfer according to Article 12(1)(a) of the Law. Similarly, if the data controller can show the Commissioner that it applies binding codes of corporate conduct (known as “binding corporate rules” in European data protection law) this would also likely be considered an adequate safeguard by the Commissioner.
Accordingly, data controllers in the DIFC are highly likely to be making a similar analysis to their European counterparts as to the alternative routes for legitimising transfers into the US.
In 2011, India issued the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 (Rules), which prescribe how personal information can be collected and used by organisations in India. The transfer of sensitive personal data or information by an Indian entity to another entity in any other jurisdiction is permitted if: (i) the entity in the other country ensures and maintains the same level of data protection as the Indian entity who is transferring such data; and (ii) the transfer of such data is necessary for the performance of a lawful contract between the Indian entity and the provider of such information or if such provider of information has consented to the transfer.
An entity will be considered to have complied with the first limb of the conditions noted above if it has implemented security practices and standards comprising comprehensive information security programmes and information security policies that include managerial, technical, operational and physical security control measures. The Rules have stipulated one international standard in this regard: IS/ISO/IEC 27001 on “Information Technology – Security Techniques – Information Security Management System – Requirements”. Industrial associations of entities in India may follow a different data security standard upon specific approval by the Government of India, but compliance with such standards will be subject to audit and certification annually by government-approved agencies.
Except as noted above, the Government of India has not issued any notification or guidelines to date that confirm any countries or regimes as having adequate level of security measures and standards for data protection with respect to transmission of data from India. Accordingly, there is no immediate prospect that the Government of India or the Ministry of Communications and Information Technology will take any specific action or direction in light of the Schrems judgment.
Qatar Financial Centre (QFC)
QFC is another regional financial services hub in the Middle East. Similarly to the regimes in Dubai International Financial Centre and Abu Dhabi Global Market, the QFC Data Protection Regulations 2005 are modeled on European legislation with a restriction on transfers of personal data to recipients located outside the jurisdiction unless “an adequate level of protection for that Personal Data is ensured by laws and regulations that are applicable to the Recipient” (Article 9).
Unlike DIFC and ADGM, the Regulatory Authority in QFC has not prescribed a list of jurisdictions offering adequate protection for these purposes. Instead, Article 9(2) and the accompanying QFCA Data Protection Rules confirm that the data controller is responsible for making this assessment. The Rules state that the Regulatory Authority expects data controllers to adopt a “consistent approach” when assessing the adequacy of levels of protection for personal data in other jurisdictions.
Among other considerations recommended in the Rules are whether there is an effective mechanism for individuals to enforce their rights or obtain redress if the standards are not met, the law in force in the jurisdiction in question regarding data protection, any international obligations to which the recipient is subject and any relevant codes of conduct or other rules which are enforceable in that jurisdiction. Further, the Rules also recommend that data controllers consider whether the jurisdiction in question is “the subject of any finding or presumption of adequacy by another data protection regulator or other relevant body (such as the European Commission)”.
Prior to the judgment in the Schrems case, a recipient’s participation in the EU-US Safe Harbor scheme would have been a reasonably persuasive factor for a QFC entity to determine that adequate protection was in place based on the European Commission’s finding of adequacy. Although, so far as we are aware, no formal announcement has been made by the QFC regulator with specific reference to Schrems, it seems likely that QFC entities will have to re-assess any prior findings of adequacy that they have made which relied on the Safe Harbor certification. To the extent it is unable to make the same determination, a QFC entity may have to seek a permit from the QFC Authority if it is unable to rely on any of the other conditions for data export set out in Article 10 of the Regulations.
The Schrems case is likely to have little impact in Singapore because the data protection laws do not have the concept of “safe harbours” or specify a list of countries which qualify as adequate for data transfer purposes.
Personal data in Singapore is protected by common law, sector specific laws and the new Personal Data Protection Act 2012 (PDPA) which came into full force in July 2014. The PDPA provides that an organisation may transfer personal data to a country or territory outside Singapore only if the transferring organisation has ensured that the recipient organisation will provide a standard of protection for such data that is comparable to the level of protection prescribed by the PDPA.
Most organisations in Singapore typically fulfill this requirement through imposing legally enforceable obligations on the recipient organisation in the form of data transfer agreements between the organisations rather than an assessment of the adequacy of laws in the destination jurisdiction.
South Africa’s Protection of Personal Information Act 2013 (POPI) is largely based on the principles of the EU Data Protection Directive. This includes the requirement that personal information must be adequately protected when transferred cross-border (assuming none of the other grounds apply).
US corporations have previously attempted to rely on their Safe Harbor certification when demonstrating the adequacy of their data protection capabilities to South African companies. In light of the Schrems case, this is unlikely to be acceptable.
The ECJ’s ruling may have a bearing on the manner in which the South African information regulator (once appointed) enforces the requirement of adequacy in POPI once it is in full force. In the meantime, South African companies with EU-based operations are being recommended to review their contractual arrangements for data transfer to the US.
Additional contribution by Fortitude Law Associates (India).
To subscribe for updates from our Data Protection Report blog, visit the email sign-up page.