Earlier this year I discussed data privacy essentials for in-house counsel (click here to read). The post discussed a number of basic data privacy issues, including the 2000 U.S.-EU Safe Harbor Agreement. The agreement allows U.S. companies that register and agree to its terms to legally transfer personal data from the EU into the U.S. The agreement was necessary because the European Commission (the “Commission”) determined that the U.S. did not have “adequate” data protection laws and, therefore, without such an agreement the ability to transfer personal data out of the EU and into the U.S. was limited due to provisions of Article 25(6) of the 1995 Data Protection Directive. The Safe Harbor Agreement remedied the problem by creating a mechanism under which U.S. companies could agree to apply core EU data protection principles to personal data and subject themselves to regulatory oversight by the Federal Trade Commission or the Department of Transportation.
Last week (October 6, 2015) the European Court of Justice invalidated the Safe Harbor Agreement. The court found that the agreement did not provide “essentially equivalent” data protection to EU citizens (primarily because of the then unfettered access to personal data by U.S. intelligence agencies under the PRISM program). The court also held that local Data Protection Authorities (DPAs) are empowered to independently assess whether a non-EU country provides adequate protection regardless of whether the Commission has already made such a determination that it does.
The result is a big mess regarding how companies that relied on the Safe Harbor Agreement can legally transfer personal data out of the EU and into the U.S. and how things will work in the future if DPAs can override a Commission decision on the adequacy of data protection in non-EU countries. This edition of Ten Things discusses some practical things U.S. companies should do next in light of last week’s development.
- Stay calm. The most important thing you can do right now is not panic. One week after the decision, personal data is still flowing from the EU into the U.S. (and it will continue to do so just like it did during the two year gap between the enactment of the Data Protection Directive in 1998 and the execution of the Safe Harbor Agreement in 2000). The European Commission and the Article 29 Working Party (a group of the national DPAs – “A29WP”) recognize that, in light of the court’s decision, they need to move quickly and in a uniform manner. The Commission and the A29WP have said they will provide guidance to businesses soon. Let this play out over the next few weeks before doing anything rash. Simply put, you should not expect a call from a DPA tomorrow telling you to stop transferring personal data out of the EU to the U.S.
- Do I need to worry regardless? The first thing a business needs to ask is whether or not it even matters that the Safe Harbor Agreement is no longer a valid mechanism to transfer data out of the EU. If your company is not transferring personal data out of the EU to the U.S., the decision has no impact on you. Similarly, if your company is not signed up to Safe Harbor and is transferring data under a different mechanism, then there is no impact on you. If your company is transferring data out of the EU directly to a country other than the U.S., the Safe Harbor Agreement did not apply anyway and you would continue to rely on whatever mechanism you relied on before the decision. In fact, there are only a handful of countries that the Commission has deemed provide an “adequate” level of protection. Data transfers to the 100+ other countries that are not “adequate” must transpire under some other mechanism, e.g., China, Brazil, India, and Australia are not “adequate.”
- Must I continue to comply with Safe Harbor? Ironically, yes. If you are currently a signatory to the Safe Harbor Agreement you must continue to comply with it as you are still bound by the terms and subject to enforcement by the FTC or the DOT (even though the agreement no longer provides a path to transfer data out of the EU). While you can “de-certify” from Safe Harbor, it is probably better to stay the course for the time being.
- Analyze your data flows. Now is an excellent time to take stock of your company’s data flows out of the EU. Determine if personal data is coming out of the EU to you in the U.S., identify which EU countries the data is coming from, the type of data (e.g., employee data), how sensitive is the data (e.g., health information), how important is the data to your company’s business, where would your company most likely face a complaint (works council, past experience, a zealous DPA), what mechanism is your company relying on to transfer the data to the U.S., etc. Don’t forget to consider any vendors you use to process data and, if you use third parties, were they relying on Safe Harbor? After you have mapped the data flows and thought through any contractual issues, you can then begin to figure out your next steps and/or the best way to legally transfer the data to the U.S. (or wherever it may need to go).
- Data Controller vs. Data. Processor. It’s important to understand whether you are a data controller or a data processor. A data controller is the person/entity that collects the data and directs how the data will be used. A data processor is the person/entity that processes the data on behalf of, and subject to the directions of, the data controller. A data controller has more obligations under the EU Data Protection Directive than a data processor and it may be easier to solve any issues arising out of the court’s decision if you are a processor vs. a controller. This post is written primarily from the view point of a data controller. If you are a data processor, you may be getting panicked calls or emails from your Europe-based customers.
- What other mechanisms exist to legally transfer data out of the EU into the U.S.? There are a number of legal ways personal data can be transferred out of the EU and into the U.S. Of the options below, use of the model contract provisions appears to be the most viable in the short term (or it may ultimately be a mix of these depending on your business):
- Model Contracts. The Commission has approved “model contracts” that companies can put into place. You can find these at the EU website. You can sign them “as is” or work the key provisions into new contracts (or use as amendments to existing contracts). Depending on which EU countries the data is flowing out of you may need to register the contracts with the local DPA. If you are a data processor you may likely get asked to sign a model contract by your European customer. Additionally, it is possible to ask the appropriate DPA(s) to approve one-off contracts. This will take a good amount of time to complete and probably not worth the effort at this time unless you’ve already started that process some time ago.
- Binding Corporate Rules. BCR’s are a binding set of rules a company agrees to be bound by with respect to personal data. BCR’s need to be approved by each of the local DPAs where you are transferring data from (e.g., UK, Germany, France) and are only valid for intracompany transfers, making them useful only in limited circumstances. This is a multi-month process, i.e., currently 12-18 months.
- Consent of the Individual. You can transfer personal data out of the EU to any country if you obtain the unambiguous informed consent of the individual. Unfortunately, what constitutes valid “consent” can be different in each EU country. That said, if you require a pop-up tick-box or other affirmative indication of consent (and do not rely on implied consent) you can get over at least one significant hurdle. The second hurdle is the requirement that the consent is not “coerced” and it is not clear whether saying the service is only available to users who consent to their data being transferred to the U.S. is a valid use of this option. It seems like it would qualify as the individual user would make a determination if they want to use the service or not. However, you can see where there is enough grey area that an aggressive DPA might take a contrary position (and know going in that the DPAs do view obtaining “consent” from an employee to transfer HR data out of the EU as freely given).
- Data Necessary for the Performance of the Contract. Under Article 26, if the data that needs to be transferred is necessary in order to perform a contract between an individual and another party the data may be transferred to a third country. For example, you could not complete a hotel booking in the U.S. without several pieces of personal information. Understand that like the issue of “consent” there is disagreement among the DPAs as to what data is “necessary” to complete a contract, meaning if you take this route you should limit the transfer to personal data that is absolutely necessary to complete the contract, e.g., do you really need the date of birth?
- Process the data within the EU. Another option is to not transfer the personal data at all and process it within the EU. If you can locate part of your business (or even just a set of servers) in the EU or use EU-based service providers you can avoid the Safe Harbor/transfer issue. However, under the best of circumstances, it may take months to set up processing in the EU and you will need to be sure that it will not be necessary to transfer data to the U.S. (or elsewhere) regardless.
- Safe Harbor 2.0. The U.S. and EU have been working on an updated Safe Harbor Agreement for a good while now. Even before the court’s decision everyone expected changes to account for some of the short comings of the original agreement. You can rest reasonably assured that there will be a Safe Harbor 2.0 and it will address the short comings noted by the court. Unfortunately, we are still many months away from the parties finalizing 2.0, leaving a big time gap in the interim. Moreover, since the court ruled that individual DPAs can make their own determinations as to whether a country is providing adequate data privacy, a new Safe Harbor Agreement will still be subject to attack by any DPA that is not happy with what the Commission negotiates. Hopefully, the Commission and the DPAs (A29WP) will come to agreement on the terms of 2.0 and avoid such a situation.
- New EU Data Protection Law. In addition to Safe Harbor 2.0, the EU is very close to finalizing a new comprehensive data privacy/protection law. Unlike the Directive which sets “minimum” privacy standards for EU member states but allows those member states to add stricter provisions in many cases, the new law will be a “regulation” and will set forth a uniform set of rules across the entire EU. While U.S. companies can expect the standards to be higher generally and should start preparing now, having a single set of uniform rules should count as a big plus.
- Stay Up to Date. Things will be in flux and moving fast over the next few weeks and months. The Commission and A29WP will give guidance on how they interpret the court’s ruling, there will be a new Safe Harbor 2.0 and a new data privacy law, and we will likely see other unexpected developments out of last week’s decision. So, don’t go to sleep on the switch. Stay alert and find good sources of information for updates, e.g., the A29WP website, The Wall Street Journal, http://www.Lexology.com, org, a good data privacy blog (e.g., Hogan Lovells), Twitter (@10ThingsLegal), and other sources.
There is a lot of nuance in all of the above and we covered a lot of ground in ten short points. But, this will get you started on the right path and hopefully give you something to calm the nerves of executives and board members as you figure out next steps.
October 13, 2015
Follow me on Twitter @10ThingsLegal where I post articles and stories of interest to in-house counsel daily.
(If you find this blog useful, please click “follow” in the top right and pass it along to colleagues or friends and/or “Tweet” it. “Ten Things” is not legal advice or legal opinion. It is intended to provide practical tips and references to the busy in-house practitioner and other readers. You can find this blog and all past posts at www.TenThings.net. If you have questions or comments, please contact me at either firstname.lastname@example.org or email@example.com)