Nordic approaches to EU-US data transfers after the Safe Harbor-judgement

Publicerat:10 December, 2015

What impact has the Safe Harbor judgment for the personal data protection in the Nordic countries? Four Nordic lawyers, including Sara Malmgren from Foyen, has summarized the situation. They give you an overview of how the judgment among other things affect transfer of personal data to servers based in the EU, and if the model clauses are still acceptable, and more.

Sara Malmgren ny

Lawyer Sara Malmgren


Short overview:

Sweden Denmark Finland Norway
Accept model clauses in principle Yes Yes Yes Yes
US access to EU based servers Constitutes transfer Constitutes transfer Constitutes transfer Constitutes transfer
Notification/approval requirements Application for exemption when transfer is based on BCR. Otherwise no notification needed as a main rule, provided a Representative is appointed. Prior approval required, unless unmodified model clauses (in that case no notification/approval needed). Prior notification to DPA required for transfers based on BCR. No notification for transfer using unmodified model clauses. Approval, but prior notification for transfer to data processors based on unmodified model clauses.
Stance on Article 29-“approved” agreements No effect Does not affect whether agreements need approval No effect. Does not affect whether agreements need approval
Consent Yes, consent is a an accepted legal ground for transfer Consent may be used as legal basis for transfers, but should generally not be used as legal basis for mass transfer of data Seen as a valid tool for transfers. Discouraged in most cases
Auditing requirements No. No specific requirements No. Third party
Timeline In line with Article 29 WP. In line with Article 29 WP. In line with WP29. In line with Article 29 WP.

Does the Data Protection Authority accept model clauses for transfer of personal information to countries without adequate protection, the US in particular?

Norway: Yes, Datatilsynet has explicitly recommended model clauses as basis for transfer to the US.
Denmark: Yes, Datatilsynet has explicitly recommended model clauses as basis for transfer to the US.
Sweden: Yes, and it is also stipulated in the Personal Data Ordinance (swe: Personuppgiftsförordningen) that transfer based on the model clauses is allowed.
Finland: Yes, the Data Protection Ombudsman has stated that other transfer bases than Safe Harbor can still be used.
 
How does the Safe Harbor-judgement affects US access to servers based in the EU?

Norway: It follows from previous practice that access by US personnel to personal data stored in the EU constitutes a transfer of data. Accordingly, such access must also have a legal basis in line with other transfers.
Denmark: Access by US personnel to personal data stored in the EU constitutes a transfer of data. Accordingly, such access must also have a legal basis in line with other transfers.
Sweden: Such access constitutes processing of data. Therefore, legal grounds for transfer to third countries must exist.
Finland: Access to information located in the EU from outside of the union is considered an international transfer. Consequently, all legal provisions applicable to transfers also apply to such access.

Are there any notification/approval requirements as regards transfer to third countries?

Norway: The main rule is that all agreements entailing transfer to countries without adequate protection needs prior approval from Datatilsynet, this also applies to model clauses. However, there is an exemption where the transfer is to take place to a data processor in such a country, and the basis for the transfer is the unmodified model clauses. In this case, prior notification (including submission of the signed agreement and annexes) is sufficient.
Denmark: The main rule is that all agreements entailing transfer to countries without adequate protection needs prior approval from Datatilsynet. However, there is an exemption where the transfer is to take place to a data processor or data controller in such a country, and the basis for the transfer is the unmodified model clauses. In this case, neither prior approval nor notification is required.
Sweden: If the Personal Data Controller has appointed a Personal Data Representative (swe: Personuppgiftsombud) and has notified the DPA of the appointment, no further notifications are needed, as a general principle. That includes transfer of data to a third country based on the model clauses. However, transfer of data to a third country based on Binding Corporate Rules (BCR) does require an application for exemption from the general prohibition against transfer to such country.
Finland: A notification to the Data Protection Ombudsman is required when Binding Corporate Rules or other contractual provisions than model clauses are used to transfer data out of the EU. Transfers based on unmodified model clauses are not subject to the prior notification requirement.
 
What is the DPA (Data Protection Authorities) stance on the Article 29 Working Party confirmations[1]?

Norway: The exemption from the requirement for prior approval is only applicable when the unmodified model clauses serve as basis for the transfer. The confirmations from the Article 29 Working Party therefore have no direct effect in Norway – but might serve to expedite the approval process as long as there are terms lessening the privacy rights as set out in the model clauses.
Denmark: The exemption from the requirement for prior approval is only applicable when the unmodified model clauses serve as basis for the transfer. The confirmations from the Article 29 Working Party therefore have no direct effect in Denmark – but might serve to expedite the approval process as long as there are terms lessening the privacy rights as set out in the model clauses.
Sweden: The statements made by the DPA corresponds to Article 29 Working Party confirmations.
Finland: Finnish DPA’s statements are in line with the confirmations of Article 29 Working Party.

Is consent as basis for transfer?

Norway: Datatilsynet advises against the use of consent as a basis for transfer in most cases.
Denmark: Consent may be used as legal basis for transfers, but Datatilsynet generally advises against the use of consent as a basis for transfer in connection with mass transfer of data.
Sweden: The Personal Data Act stipulates that a valid consent from the registered person is grounds for legal transfer of data.  
Finland: Under Finnish Personal Data Act an explicit consent of a data subject is a valid basis for transfers out of EU area. The Finnish DPA has not issued any opinions different to the provisions of law.

Are there auditing requirements?

Norway: Previous statements from the DPA suggest that they will be content with third-party audits of compliance with model clauses.
Denmark: Datatilsynet does not require any specific audits of compliance with model clauses.
Sweden: The Swedish legislation do not mention third party audit, neither do the DPA.
Finland: There are no requirements for third-party audits in Finnish Personal Data Act and the DPA has been silent on the issue as well.

What does the timeline look like[2]?

Norway: No clear statement from Datatilsynet, except for paraphrasing the Article 29 Working Party statement on this point.
Denmark: Datatilsynet has paraphrased the Article 29 Working Party statement on this point. Furthermore, Datatilsynet has stated that if the member states and/or the European Union have not come to an agreement with the US authorities ultimo January 2016, the European DPA’s will take necessary and appropriate enforcement actions. See the news on Datatilsynet’s website here: https://www.datatilsynet.dk/nyheder/seneste-nyheder/artikel/naermere-orientering-fra-datatilsynet-om-safe-harbor-dommen/.
Sweden: The DPA refers to the Article 29 Working Party’s declaration as regard the timeline, i.e. end of January 2016.
Finland: Finnish DPA has only referred to the WP29 statement on the matter.

Contributors:

DENMARK FINLAND
Michael Hopp Advokat, Partner Plesner Advokatfirma www.plesner.com
E-mail: mho@plesner.com
T: +45 3694 1306
M: +45 2999 3014
Eija Warma Counsel Castrén & Snellman Attorneys Ltd
www.castren.fi
E-mail: eija.warma@castren.fi
T: +358 (0)20 7765 376
M: +358 (0)50 5400 497
NORWAY SWEDEN
Eva I. E. Jarbekk
Advokat MNA, Partner Advokatfirmaet Føyen Torkildsen AS
www.foyentorkildsen.no
E-mail: ej@foyentorkildsen.no
T: +47 21 93 10 00
M: +47 90051011
Sara Malmgren Senior Associate
Foyen Advokatfirma KB
www.foyen.se
E-mail: sara.malmgren@foyen.se
T: +46 (0)8 506 184 28 M:+46 (0)733 228428

[1] Letter 2 April 2014 from the article 29 Working Party to Microsoft confirming that the MS agreement is “in line with” the model clauses, and similar letter 6 March 2015 from the Luxemburgish DPA to Amazon.
[2] In a statement 16 October 2015, the Article 29 Working party declared that the EU data protection authorities are committed to take “necessary and appropriate actions, which may include enforcement actions”, if no appropriate solution is found by the end of January 2016