Data transfers still a challenge for transatlantic business six months after the death of Safe Harbor

Many readers will have seen the discussions and controversy around the demise of the Safe Harbor regime and the challenges it has created for many companies doing business across the Atlantic.

In this article, I wanted to summarise the position, and the possible new solution which many are hoping will come to the rescue – the Privacy Shield – and what businesses should be thinking of doing in the meantime.

Background

Massive volumes of data relating to individuals are transferred across (or more accurately under or over) the Atlantic to support the online, financial services, travel and other sectors – data is the lifeblood of the modern economy.

EU privacy rules are unique around the world in the way they set out to restrict the ability of organisations to send personal data from Europe to the US and other non-EU countries which have not been designated by the EU authorities as providing "adequate protection" for personal data.  The US approach of sectoral regulation of Personally Identifiable Information (PII) and self-regulation is very different from the EU's single catch-all privacy directive and, as a result, the US is not regarded by the EU authorities as providing adequate protection.

That is not the end of the story as, fortunately, other mechanisms are provided for under the EU directive which can legitimise data transfers to the US:

  • Consent of the individuals to whom the data relates
  • Template "model clause" documents between an EU "data exporter" and a US "Data importer"
  • Binding Corporate Rules or "BCRs"
  • Until October 2015, the EU – US Safe Harbor regime

The last one, Safe Harbor, was a very popular voluntary scheme operated by the Department of Commerce and enforced by the FTC in the US and was used by around 4,500 US companies.

What’s the issue?

In October 2015, the Court of Justice of the European Union (CJEU) cast the future of data transfers from the EEA to the USA into doubt after striking down the Safe Harbor regime and indirectly questioning the validity of other data export tools listed above. This was the infamous "Schrems decision" named after the complainant, Max Schrems, an Austrian law student who complained to the Irish data protection regulator about the transfer of his personal data to the US by Facebook, arguing that Facebook's reliance on the Safe Harbor scheme as the legal basis for that transfer was unlawful.

The Snowden revelations, Schrems argued, showed that indiscriminate access to EU data by US law enforcement agencies and the lack of redress in the US courts for EU citizens meant that his data was not afforded "adequate protection" at all. This sent shockwaves through US business reliant on Safe Harbor, and led to an urgent speeding up of negotiations between EU and US authorities on a replacement for Safe Harbor that provided more robust protection for EU data. 

EU and US bureaucrats worked extremely hard to come up with a replacement for Safe Harbor which responded to criticism of CJEU and in early February 2016, the European Commission announced agreement of a new EU-US Privacy Shield to replace Safe Harbor and published draft proposals. 

Why does this matter?

It is simply impossible for the flows of personal data between the US and EU to stop, but businesses are in the cross-hairs if – in the aftermath of the decision to kill off Safe Harbor – they cannot find an alternative solution: this may mean it is harder to sell to EU customers, or that difficult discussions, and even enforcement action, by EU national data protection regulators, and significant brand damage, could result. So, the Privacy Shield is getting a lot of attention.

What does the Privacy Shield look like?

It is important to understand that the Privacy Shield is currently only a proposal – it has not been formally adopted under EU law as yet, although that may happen in the coming weeks.

The EC claims that the Privacy Shield addresses the issues raised by the CJEU in relation to the previous Safe Harbor regime by introducing:

  • strong obligations on companies and robust enforcement;
  • clear limits and safeguards with respect to US government access;
  • protection of EU citizens’ rights through new redress mechanisms; and
  • an annual review mechanism to ensure the continuing effectiveness of the scheme.

Key requirements for US companies signing up to the Privacy Shield will be to:

  • self-certify annually that they meet their obligations under the Privacy Shield;
  • comply with a set of Privacy Principles;
  • display a privacy policy on their website (with detailed requirements for the information to be set out);
  • reply promptly to any complaints (within 45 days); and
  • cooperate and comply with European data protection authorities (DPAs) if handling human resources data.

What has the reaction to draft of the Privacy Shield been?

The proposal was greeted with cautious optimism by businesses and with slightly less optimistic caution by regulators who said they needed to review the details before reaching a decision. The Article 29 Working Party (WP), comprised of European national data protection regulators, delivered its opinion on the EU-US Privacy Shield on April 13 2016. It has welcomed the progress made as a "great step forward," but has stopped short of endorsing the current proposals. 

The WP is concerned that the oversight and enforcement measures are not enough and the bulk collection of personal data remains possible.  On this basis, it urges the European Commission to continue negotiations with the United States government and says it still has work to do to ensure that any adequacy decision really does provide EU personal data transferred to the United States with a level of protection.

Where are we now?

The European Commission is not bound by the WP’s views and will almost certainly proceed towards a decision of adequacy given the political and commercial considerations. However, without the backing of the regulators, the Privacy Shield is unlikely to give any real comfort to businesses because regulators can investigate individual data exports for adequacy. 

So what should businesses do now?

Clearly the legal position is in a state of flux and this makes compliance challenging.  What a particular business should do will vary depending on the data they collect, where they are based and who the "audience" is for compliance -- e.g. is it EU regulators who might take an interest, or potential EU customers who need comfort a US-based platform as compliant before they will buy?

With apologies to readers who are well aware of this, a few points are really key here:

  1. Be aware that EU concept of personal data is wider than the US equivalent of PII – so capturing more categories of data in the net than you might think coming at this from a US perspective
  2. Remotely accessing from the US personal data resident on an EU server is a data transfer under EU law. This happens frequently in practice for support reasons, for instance.

What haunts businesses and their advisers is the possibility that a similar challenge to the one that killed Safe Harbor could be made to the Privacy Shield (if it goes live) or even one of the current compliance mechanisms: model clauses or BCRs.   That cannot be ruled out as the same complaint -- that US access to EU data means there is no adequate protection as the Europeans understand it -- can be made against all of the compliance mechanisms recognised by EU law.

Practical steps

There is no one size fits all solution, but here is our distilled quick guide based on experience with many US-EU data transfer situations.  We have made some general suggestions for all businesses involved in the transfer of personal data, and some more specific ones for US organisations with EU employees and then US-based B2B and B2C businesses.

All businesses involved in data transfer EU - US:

Look busy! Regulators really do not like the businesses who don't even look like they are trying to get compliant.

Understand what personal data you have that is transferred, where it comes from and what you do with it.  You may be surprised at how much data is flowing cross-border when you sit down with colleagues in different parts of the business.

Look to compliance solutions other than the now defunct Safe Harbor and have a paper trail showing your moves towards those alternative solutions.

Do not treat the EU as a single amorphous market in terms of privacy risk. Generalisations are always dangerous and risk is fact-specific, but it is fair to say that the UK and Ireland, and usually the Netherlands and Sweden, tend to be pragmatic regulators, usually seeking a dialogue with companies that are trying to get things right. In other countries the regulators have a reputation for insisting on compliance to the letter: Germany, Spain, France, Poland and Italy.

In practice, initial brainstorming calls with EU privacy experts can be useful to assess practical risk, agree key target territories and work out where limited legal budget should be spent -– sometimes the first launch country, sometimes a list of key EU territories (often including Germany as the high watermark for privacy requirements).

Keep up-to-date on developments including the Privacy Shield as this area is changing constantly –- appoint someone internally to be responsible for spotting relevant changes.

US headquartered businesses storing/accessing data on their own EU employees:

Look to conclude 'model clauses' with your EU affiliates unless already in place.  Bear in mind in some EU countries (France, Spain, Denmark, Italy and others) your EU affiliate will need to file that model clauses document with their national privacy regulator. You do *not* have to do this in the UK or Germany.

The model clauses have some pain points so think before you sign: for instance, if you use non-EU vendors (e.g. cloud-based HR platforms) you need to "flow-down" a model clauses agreement onto those vendors. If they have customers with an EU presence they will be used to it, if not, this could be a struggle.

Resist changing the small-print!   And try to stop your US vendors making changes to the model clauses – to work legally, the detailed legal terms need to remain as they are (in practice they sometimes get tweaked – but that is another article and changes need to be approached with care).

Countries like France and Germany regulate the collection and use of data on employees more actively than others – for instance, you may need to consult or negotiate with works councils in either country (in Germany they have significant power) and in France regulatory filings may need to be made or added to for certain forms of employee monitoring.

US B2B SaaS/ tech companies selling services to EU corporates which involve the transfer of the customer's personal data to the US (or elsewhere outside the EU):

Be ready for lots of questions around this – a hot issue in Europe! UK & Ireland tend to be the easier ride, and Germany the hardest, but nowhere is easy where data goes back to the US.

Ensure you have the data flow back to the US (or elsewhere) and the compliant solution which looks clean to your target audience nailed down, and messaging agreed so the customer-facing teams say the same thing around this.

That solution is often a version of the model clauses designed for non-EU data processors, which you could prepare in a form tailored to your service and which you have ready "in the back pocket" for those EU prospects that ask for it.  Not having a good story around this, and a legal solution ready, will lose you credibility and possibly revenue.

Consider whether you want to try to soften the rough edges of the model clauses, like the wide audit rights for your EU customer and the lack of a limitation on your liability for the commitments you make.  Take advice as to whether customers will entertain these changes, as strictly they risk removing the protection altogether.

The model clauses are not a tick-box for EU corporates – they will want to understand whether there are third party vendors or partners "sitting behind" the US supplier who also touch the data – data centres, call centres etc and may insist that you have model clauses flowed down to them as well.

Be ready to spend time talking through idiosyncratic and very conservative interpretations about what compliance means.

Consider, especially if Germany is a target market, whether you can host personal data for EU customers within the EU. Typically it costs more, but it does take some – not always all – of the heat out of this discussion.   Services like AWS, Azure, Rackspace and many others allow you to opt for EU servers.

Avoid references to US Safe Harbor in your privacy policy, or if you want to retain it (it is currently still a live US arrangement) qualify any statement in the policy in terms that recognise it no longer operates as a valid mechanism for data transfer under EU law.

US B2C companies targeting EU consumers:

Consider practical risk as a guide for how much time and money you spend on compliance: e.g. the extent to which they are "on the radar" of EU regulators – early-stage companies from the US without boots on the ground in the EU, for instance, can sometimes take a more robust view (although no one should ignore the issue!).

As a minimum, localise the privacy policy (perhaps a separate EU version) which has a clearer consent to data transfer to the US and consider whether a short reference to US hosting of data can be part of the online registration or purchase process without cluttering up the user experience (a brief reference and then a link to the policy might get past the design team).

Get the easy bits around local privacy compliance right: for instance, register with the national regulators where your presence requires that, appoint a data protection officer where local law requires it (such as Germany under some circumstances).

Avoid references to US Safe Harbor in your privacy policy, or if you want to retain it (it is currently still a live US arrangement) qualify any statement in the policy in terms that recognise it no longer operates as a valid mechanism for data transfer under EU law.

Chris Jeffery is a partner in the IP/IT group at Taylor Wessing and heads the UK IT, Telecoms & Competition Group. He specialises in advising technology companies on complex contractual negotiations, data protection governance and compliance (particularly where there is a significant cross-border element) and and all areas of doing business online. His clients span the ad tech, fin tech, ecommerce, mobile, enterprise software, SaaS & cloud and high-end engineering sectors.

 

Christopher Jeffery

Taylor Wessing, 5 New Street Square, London, EC4A 3BF

Chris is a partner in the IP/IT group at leading international law firm Taylor Wessing, and heads the UK IT, Telecoms & Competition Group. He specialises in advising technology companies on complex contractual negotiations, data protection governance and compliance (particularly where there is a significiant cross-border element) and and all areas of doing business online. His clients span the ad tech, fin tech, ecommerce, mobile, enterprise software, SaaS & cloud and high-end engineering sectors.