EU Data Transfer Updates May Be Boon for Multinationals

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By George R. Lynch

Multinationals will have to undertake stronger privacy compliance in return for more legal certainty on data transfers out of the European Union, privacy professionals told Bloomberg BNA.

The European Commission, the EU's executive arm, recently moved to verify that privacy regulators in the 28 EU countries may review the adequacy of privacy protections for data transfers. That move may not initially seem reassuring to companies since it affirms strong privacy compliance standards and enforcement authority. But the Commission's effort also confirms the continuing viability of Standard Contractual Clauses (SCCs), commission-approved provisions that companies insert into contracts that bind business with which they share data to protect the privacy of the information.

Perhaps most importantly, the commission ruling doesn't force companies to renegotiate their existing SCC-compliant contracts. SCCs are one of the most widely used mechanisms for transferring data out of Europe. A single company may have hundreds or even thousands of separate SCCs with other companies that use or process information.

Being able to safely rely on SCCs already in place and as a provision in new contracts should be a boon for multinationals that need to transfer personal data from outside the EU to other countries, including the U.S.

Having a viable means of legally moving personal data out of the EU to the U.S. is crucial for companies on both sides of the Atlantic. According to the European Union's official statistical office, Eurostat, the U.S. is “by far the largest destination for EU-28 exports of services,” with 212 billion euros ($221.7 billion) worth of services exported to the U.S. in 2015, making up a full 26 percent of all non-EU service exports. Total trade between the world's two largest economies reached $700 billion in 2015, according to the U.S. Census Bureau.

The commission's ruling “is a positive development for business” because it secures SCCs for data transfers, William RM Long, partner and leader of the EU data protection practice at Sidley Austin LLP in London, said.

Companies have been worried about personal data transfers in the wake of the 2015 ruling by the EU's top court that invalidated the agreement to allow easier data transfers from the EU to the U.S., the U.S.-EU Safe Harbor program. The replacement EU-U.S. Privacy Shield data transfer mechansim is now also under challenge in the Court of Justice of the European Union's (CJEU). Given the legal uncertainty, many companies have looked to SCCs to allow data transfers.

But the viability of SCCs was also in doubt given ongoing concerns by some in the EU about whether data transferred out of the EU would be subject to improper access by the U.S. government. Those concerns reached a tipping point after Edward Snowden's disclosures and led to the demise of Safe Harbor. Those challenging the Privacy Shield argue that measures take to strengthen the data transfer mechanism, including allowing EU citizens the right to challenge in U.S. courts the alleged government misuse of data, are ineffective. President-elect Donald Trump's rhetoric appearing to approve of increased government access to data hasn't helped to quiet the fears of EU privacy advocates.

The Commission Dec. 16 officially adopted the amendments to its decisions on SCCs and the adequacy of third-countries personal data protection to reflect the CJEU's judgment that the Commission may not restrict the powers of national privacy regulators.

Model Contracts
Empowering Privacy Regulators

By removing restrictions on the regulation of data transfers, the new commission amendments free up privacy regulators to wield all of the enforcement power accorded them by the 1995 Data Protection Directive (95/46/EC). This may result in swifter enforcement action, and necessitate that companies be more thorough with compliance, privacy professionals said. The action also is consistent with the national privacy office oversight and enforcement scheme in the replacement for the Data Protection Directive, the EU General Data Protection Regulation (GDPR).

The GDPR specifically approves the use of SCCs for data transfers outside the EU. “It’s a helpful thing for business because it demonstrates that when the GDPR becomes law, those options are solid data transfer mechanisms,” Long said.

The GDPR's May 2018 effective date prompted the Commission's review of the SCCs provisions.

The amending decisions aim at aligning current adequacy decisions with the CJEU finding in the Schrems case “that the supervisory powers of national supervisory authorities as regards international transfers cannot be restricted in a Commission's decision,” a Commission official told Bloomberg BNA. The amendments also seek to align the past rulings with the Privacy Shield, the official said.

To achieve this aim, the commission issued decisions for data controller-to-data controllers SCCs, and data controller-to-data processor SCCs.

The Commission also amended its rulings on the handful of countries outside of Europe that it considers to have privacy regimes adequate to protect the privacy of personal information transferred there. The U.S. isn't considered by the commission to have an adequate overall privacy regime, which is why the SCCs and the Privacy Shield data transfer alternatives are so important for U.S. companies.

The amendments were necessary because all of the adequacy decisions contained similar restrictive clauses to those in the invalidated Safe Harbor agreement.

Giving the national privacy regulators authority to suspend data transfers will oblige companies to pay serious attention to the compliance of transfers in order to avoid suspension or interdiction, Paul Van den Bulck, information technology, data privacy and security partner at McGuire Woods LLP in Brussels, told Bloomberg BNA.

Carlo Piltz, an information technology and data protection lawyer with JBB in Berlin, told Bloomberg BNA that privacy regulators may be quicker to consider suspending or prohibiting data transfer in cases of non-compliance with SCCs.

“It was good sense and a clever move from the Commission to propose the amendments,” Van den Bulck said. The revisions proposed by the Commission are in line with the Directive in terms of restoring the proper authority of national privacy regulators, he said.

More Certainty

Despite the stepped-up enforcement, the amendments are good news for businesses.

It had been unclear since Schrems whether the commission planned on revising its decisions, or if it also planned to revise SCCs, thereby requiring companies to renegotiate all SCCs.

Existing SCCs won't have to be amended or refiled, so “all the hard work that companies did after Safe Harbor was invalidated continues to be relevant and useful going forward,” Vishnu Shankar, data protection, privacy and information technology lawyer at Sidley Austin LLP in London, said.

Piltz agreed, saying that there won't be a direct impact from the revisions. Because the Commission decisions for SCCs weren't replaced, existing SCCs are still reliable, he said.

Long said SCCs as a data transfer instrument combined with the Privacy Shield has created some certainty in the market that wasn't present last year.

Uneven Enforcement

The EU isn't governed by a harmonized data protection legal regime. The Data Protection Directive obligated each of the 28 EU member countries to adopt national laws to implement the general requirements of the directive. But that created oversight and enforcement differences among the countries. More hawkish privacy regulators, such as those in Germany, have been more aggressive in exercising their regulatory authority than others, such as the U.K. Information Commissioner's Office.

As a regulation, the GDPR will become law across the EU without the need to transpose it into 28 separate national laws. The intent is to provide a more harmonized approach on which companies can rely. But there are some exceptions that will still allow individual EU countries to set up slightly different regulations.

Some analysts have argued that the ability for countries to retain differences may undermine the GDPR's harmonization goal. But many privacy professionals are skeptical that enforcement inconsistency will be a problem.

Van den Bulck said he is optimistic about cooperation among EU institutions since the Commission sought the formal opinion of the Article 29 Working Party, which is made up of privacy officials from the 28 EU countries, on how it might need to amend its previous rulings.

The option to aggressively enforce will be there if privacy regulators decide to use it, Van den Bulck said, but the Commission change is mostly for the purpose of giving institutions the instruments they were meant to have under the Directive and the GDPR.

Certainty Ahead of New Privacy Regime

With the GDPR fast approaching, regulators should provide companies with some direction on data transfers, analysts said.

Revising the Commission's decisions on data transfers suggests that companies must now take more care to over their personal data transfers, Van den Bulck said. It makes the privacy regulators' authority over data transfer crystal clear, and the GDPR's massive enforcement fines are rapidly approaching, he said.

The GDPR authorizes maximum fines of 20 million euros ($22.5 million), or up to 4 percent of a company's global revenue. To illustrate the severity of the fines, Alphabet Inc.'s Google had $60.6 billion in revenues in fiscal year 2015, Bloomberg data show. A fine of 4 percent means Google could get a bill from the EU exceeding $2.4 billion for a single infraction.

To contact the reporter on this story: George R. Lynch in Washington at glynch@bna.com

To contact the editor responsible for this story: Donald G. Aplin at daplin@bna.com

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.