Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...
Multinationals will have to undertake stronger privacy compliance in return for more legal certainty on data transfers out of the European Union, privacy professionals told Bloomberg BNA.
The European Commission, the EU's executive arm, recently moved to verify that privacy regulators in the 28 EU countries may review the adequacy of privacy protections for data transfers. That move may not initially seem reassuring to companies since it affirms strong privacy compliance standards and enforcement authority. But the Commission's effort also confirms the continuing viability of Standard Contractual Clauses (SCCs), commission-approved provisions that companies insert into contracts that bind business with which they share data to protect the privacy of the information.
Perhaps most importantly, the commission ruling doesn't force companies to renegotiate their existing SCC-compliant contracts. SCCs are one of the most widely used mechanisms for transferring data out of Europe. A single company may have hundreds or even thousands of separate SCCs with other companies that use or process information.
Being able to safely rely on SCCs already in place and as a provision in new contracts should be a boon for multinationals that need to transfer personal data from outside the EU to other countries, including the U.S.
Having a viable means of legally moving personal data out of the EU to the U.S. is crucial for companies on both sides of the Atlantic. According to the European Union's official statistical office, Eurostat, the U.S. is “by far the largest destination for EU-28 exports of services,” with 212 billion euros ($221.7 billion) worth of services exported to the U.S. in 2015, making up a full 26 percent of all non-EU service exports. Total trade between the world's two largest economies reached $700 billion in 2015, according to the U.S. Census Bureau.
The commission's ruling “is a positive development for business” because it secures SCCs for data transfers, William RM Long, partner and leader of the EU data protection practice at Sidley Austin LLP in London, said.
Companies have been worried about personal data transfers in the wake of the 2015 ruling by the EU's top court that invalidated the agreement to allow easier data transfers from the EU to the U.S., the U.S.-EU Safe Harbor program. The replacement EU-U.S. Privacy Shield data transfer mechansim is now also under challenge in the Court of Justice of the European Union's (CJEU). Given the legal uncertainty, many companies have looked to SCCs to allow data transfers.
But the viability of SCCs was also in doubt given ongoing concerns by some in the EU about whether data transferred out of the EU would be subject to improper access by the U.S. government. Those concerns reached a tipping point after Edward Snowden's disclosures and led to the demise of Safe Harbor. Those challenging the Privacy Shield argue that measures take to strengthen the data transfer mechanism, including allowing EU citizens the right to challenge in U.S. courts the alleged government misuse of data, are ineffective. President-elect Donald Trump's rhetoric appearing to approve of increased government access to data hasn't helped to quiet the fears of EU privacy advocates.
The Commission Dec. 16 officially adopted the amendments to its decisions on SCCs and the adequacy of third-countries personal data protection to reflect the CJEU's judgment that the Commission may not restrict the powers of national privacy regulators.
By removing restrictions on the regulation of data transfers, the new commission amendments free up privacy regulators to wield all of the enforcement power accorded them by the 1995 Data Protection Directive (95/46/EC). This may result in swifter enforcement action, and necessitate that companies be more thorough with compliance, privacy professionals said. The action also is consistent with the national privacy office oversight and enforcement scheme in the replacement for the Data Protection Directive, the EU General Data Protection Regulation (GDPR).
The GDPR specifically approves the use of SCCs for data transfers outside the EU. “It’s a helpful thing for business because it demonstrates that when the GDPR becomes law, those options are solid data transfer mechanisms,” Long said.
The GDPR's May 2018 effective date prompted the Commission's review of the SCCs provisions.
The amending decisions aim at aligning current adequacy decisions with the CJEU finding in the Schrems case “that the supervisory powers of national supervisory authorities as regards international transfers cannot be restricted in a Commission's decision,” a Commission official told Bloomberg BNA. The amendments also seek to align the past rulings with the Privacy Shield, the official said.
The Commission also amended its rulings on the handful of countries outside of Europe that it considers to have privacy regimes adequate to protect the privacy of personal information transferred there. The U.S. isn't considered by the commission to have an adequate overall privacy regime, which is why the SCCs and the Privacy Shield data transfer alternatives are so important for U.S. companies.
The amendments were necessary because all of the adequacy decisions contained similar restrictive clauses to those in the invalidated Safe Harbor agreement.
Giving the national privacy regulators authority to suspend data transfers will oblige companies to pay serious attention to the compliance of transfers in order to avoid suspension or interdiction, Paul Van den Bulck, information technology, data privacy and security partner at McGuire Woods LLP in Brussels, told Bloomberg BNA.
Carlo Piltz, an information technology and data protection lawyer with JBB in Berlin, told Bloomberg BNA that privacy regulators may be quicker to consider suspending or prohibiting data transfer in cases of non-compliance with SCCs.
“It was good sense and a clever move from the Commission to propose the amendments,” Van den Bulck said. The revisions proposed by the Commission are in line with the Directive in terms of restoring the proper authority of national privacy regulators, he said.
Despite the stepped-up enforcement, the amendments are good news for businesses.
It had been unclear since Schrems whether the commission planned on revising its decisions, or if it also planned to revise SCCs, thereby requiring companies to renegotiate all SCCs.
Existing SCCs won't have to be amended or refiled, so “all the hard work that companies did after Safe Harbor was invalidated continues to be relevant and useful going forward,” Vishnu Shankar, data protection, privacy and information technology lawyer at Sidley Austin LLP in London, said.
Piltz agreed, saying that there won't be a direct impact from the revisions. Because the Commission decisions for SCCs weren't replaced, existing SCCs are still reliable, he said.
Long said SCCs as a data transfer instrument combined with the Privacy Shield has created some certainty in the market that wasn't present last year.
The EU isn't governed by a harmonized data protection legal regime. The Data Protection Directive obligated each of the 28 EU member countries to adopt national laws to implement the general requirements of the directive. But that created oversight and enforcement differences among the countries. More hawkish privacy regulators, such as those in Germany, have been more aggressive in exercising their regulatory authority than others, such as the U.K. Information Commissioner's Office.
As a regulation, the GDPR will become law across the EU without the need to transpose it into 28 separate national laws. The intent is to provide a more harmonized approach on which companies can rely. But there are some exceptions that will still allow individual EU countries to set up slightly different regulations.
Some analysts have argued that the ability for countries to retain differences may undermine the GDPR's harmonization goal. But many privacy professionals are skeptical that enforcement inconsistency will be a problem.
Van den Bulck said he is optimistic about cooperation among EU institutions since the Commission sought the formal opinion of the Article 29 Working Party, which is made up of privacy officials from the 28 EU countries, on how it might need to amend its previous rulings.
The option to aggressively enforce will be there if privacy regulators decide to use it, Van den Bulck said, but the Commission change is mostly for the purpose of giving institutions the instruments they were meant to have under the Directive and the GDPR.
With the GDPR fast approaching, regulators should provide companies with some direction on data transfers, analysts said.
Revising the Commission's decisions on data transfers suggests that companies must now take more care to over their personal data transfers, Van den Bulck said. It makes the privacy regulators' authority over data transfer crystal clear, and the GDPR's massive enforcement fines are rapidly approaching, he said.
The GDPR authorizes maximum fines of 20 million euros ($22.5 million), or up to 4 percent of a company's global revenue. To illustrate the severity of the fines, Alphabet Inc.'s Google had $60.6 billion in revenues in fiscal year 2015, Bloomberg data show. A fine of 4 percent means Google could get a bill from the EU exceeding $2.4 billion for a single infraction.
To contact the reporter on this story: George R. Lynch in Washington at firstname.lastname@example.org
To contact the editor responsible for this story: Donald G. Aplin at email@example.com
Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to firstname.lastname@example.org.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to email@example.com.
Put me on standing order
Notify me when new releases are available (no standing order will be created)