Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...
Baker & McKenzie attorneys discuss the pros and cons of the recently-approved EU-U.S. Privacy Shield and compare it to other options available for cross-border data transfers from the European Economic Area to the U.S. When companies choose an appropriate compliance mechanism to establish adequate safeguards for data importers and onward transferees outside the EEA, they should carefully analyze their particular situation, the authors write.
By Lothar Determann, Brian Hengesbaugh and Michaela Weigl
Lothar Determann is a partner in Baker & McKenzie LLP's Palo Alto office and is a member of the firm's Global Privacy & Information Management Working Group. Brian Hengesbaugh is a partner in Baker & McKenzie LLP's Chicago office and serves as chair of the firm's Global IT/C Data Security Working Group. Michaela Weigl is an associate at Baker & McKenzie's Frankfurt office and practices data protection and information technology law.
This article reflects the authors' personal opinions and not those of Baker & McKenzie, its clients or others.
Since Aug. 1, 2016, companies in the U.S. can join the EU-U.S. Privacy Shield Program operated by the U.S. Department of Commerce ( European Commission Decision 2016/1250 of July 12, 2016) (15 PVLR 1478, 7/18/16). More than 70 companies joined almost immediately (15 PVLR 1705, 8/22/16). Others are considering if and when they should join and what alternatives they have.
U.S. companies consider joining Privacy Shield for ease of doing business with European companies and customers.
Companies established or using equipment in the European Economic Area (EEA)—the 28 EU member states plus Iceland, Liechtenstein and Norway—are prohibited from sharing personal data with affiliates, vendors, customers and anyone else outside the EEA, unless an adequate level of data protection in the recipient jurisdiction is assured or an exception or derogation applies. This prohibition stems from the EU Data Protection Directive of 1995 (95/46/EC) (EU Data Protection Directive) and a comparable requirement will continue to apply when the new General Data Protection Regulation (GDPR) becomes effective on May 25, 2018 ( see Art. 25 of the EU Data Protection Directive and Art. 44 of the GDPR). In the Directive and in Art. 4 No. 1 GDPR, the term “personal data” is broadly defined to include any information relating to an identifiable individual. Art. 4 No. 1 GDPR defines “personal data” as follows:
... “personal data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.Practically, companies cannot conduct any business without sharing at least some contact information and many transactions require more intensive information sharing. Therefore, companies in the EEA need to ensure adequate data protection safeguards to do business or otherwise transmit data outside the EEA.
Brian Hengesbaugh and Amy de La Lama, Cross-Border Data Transfers, 520 Privacy & Data Security Practice Portfolio Series (Bloomberg BNA).
The European Commission has approved a few countries as generally assuring adequate data protection levels, including Argentina, Canada, Israel New Zealand, Switzerland and Uruguay, but has not issued a blanket adequacy finding for all of the U.S., even though U.S. data privacy laws are in many respects more specific, effective and up to date than data protection laws in Europe and other countries. Lothar Determann, Adequacy of data protection in the USA: myths and facts, International Data Privacy Law (forthcoming, 2016); US-Datenschutzrecht—Dichtung und Wahrheit, NvWZ 2016, 561.
In 2000, the European Commission issued a uniquely limited adequacy finding for the U.S. whereby U.S. companies would be deemed to assure adequate data protection if they joined a “Safe Harbor” program that the U.S. Commerce Department had agreed with the European Commission to enable U.S. companies to satisfy EU adequacy requirements. Fifteen years and approximately 4,500 company registrations later, the Court of Justice of the European Union (CJEU) invalidated the Commission's adequacy decision from 2000 on Oct. 6, 2015 due primarily to concerns that the Safe Harbor itself did not embed protections against U.S. law and policy on government surveillance. Case C-362/14, Maximillian Schrems v. Data Protection Commissioner, judgment of Oct. 6, 2015 (14 PVLR 1825, 10/12/15); L. Determann, U.S. Privacy Safe Harbor—More Myths and Facts, Bloomberg BNA Privacy & Security Law Report, 14 PVLR 2017 (2015) (14 PVLR 2017, 11/9/15). For now, Commerce continues to maintain the Safe Harbor program, but has already announced that it is no longer accepting new registrations, and will discontinue accepting annual re-certifications for existing Safe Harbor companies as of the end of October 2016.
After the CJEU challenge to the Safe Harbor program, the European Commission and Commerce intensified their work on a successor program, which they had been working on for a couple of years already. Brian Hengesbaugh, Amy de La Lama, Michael Egan, European Commission Reaffirms Safe Harbor and Identifies 13 Recommendations to Strengthen the Arrangement , Bloomberg BNA Privacy & Security Law Report, 12 PVLR (2013) (12 PVLR 2073, 12/16/13). They created the EU-U.S. Privacy Shield program to address all concerns that the CJEU had raised. On July 12, 2016, after obtaining all requisite approvals and engaging in appropriate consultations, the European Commission issued its decision finding that “the United States ensures an adequate level of protection for personal data transferred from the Union to organisations in the United States under the EU-U.S. Privacy Shield.” Article 1.1 of the Privacy Shield Adequacy Decision, L 207/35. See also Gilbert/van der Heijden, EU-U.S. Privacy Shield 2.0 signed, sealed and delivered, Bloomberg BNA, Privacy & Data Security Law, July 28, 2016 (15 PVLR 1417, 7/11/16); Cooper/Kuschewsky/Coughlan, The EU-U.S. Privacy Sheld: What's New and Whats' Next?, Bloomberg BNA, World Data Protection Report, July 28, 2016; Koo, New EU-U.S. Data Transfer Pact May Face Court Challenges, Bloomberg BNA, Privacy & Data Security Law, July 25, 2016 (15 PVLR 1514, 7/25/16). As expected, certain politicians, activists and data protection authorities in the EU immediately criticized the program and announced plans to challenge it. McLellan, Felz, Beierleinm, Enforcement Outlook: German Data Protection Authorities Eve Cross-Atlantic Data Transfers, Bloomberg BNA Privacy and Data Security Law, August 1, 2016 (15 PVLR 1584, 8/1/16). However, speaking collectively, the Article 29 Working Party of EU Data Protection Authorities affirmed that Privacy Shield offers “major improvements” as compared to Safe Harbor, and has issued statements indicating that it will raise any ongoing concerns about Privacy Shield in the context of the annual review of the program, and that the EU data protection authorities will not plan to challenge the program collectively for at least a year.
Companies in the EEA have to overcome three hurdles before they can lawfully transfer personal data to a company in the U.S.: (1) generally applicable local compliance obligations, (2) general prohibitions on data processing, including data disclosures to third parties (whether domestic or international), and (3) prohibitions on international data transfers outside the EEA. Any violation at either level will cause the data transfer to be ultimately unlawful. See non-binding guidance of March 19, 2009 from European Commission Data Protection Unit— Frequently Asked Questions relating to Transfers of personal data from the EU/EEA to Third Countries ), p. 18.
1. First Hurdle: Local Compliance. Companies in the EEA have to comply with a number of formal and substantive data protection law requirements. For a country-by-country overview, see Baker & McKenzie Global Privacy Handbook (2016 Edition) and Determann's Field Guide to Data Privacy Law, 2nd Ed. (2015). Please also see Determann/Kramer/Stoker/Weigl, Going Global Online, Basic E-Commerce and Data Privacy Considerations, Bloomberg BNA Privacy and Security Law Report, Jan. 12, 2015, p. 6 seq. (14 PVLR 52, 1/12/15). These requirements apply regardless of whether data is transferred or not.
Data controllers have to notify data subjects about all relevant details of data processing, including the legal basis for the collection, use and other processing of personal data (see Art. 13 and 14 GDPR), as automated data processing is by default prohibited in the EEA. See Michaela Weigl, The EU General Data Protection Regulation's Impact on Website Operators and eCommerce, Comp. Law Rev. Int'l, August 2016, p. 102-108. Companies can justify data collection with consent from the data subject, a need to perform contractual obligations, statutory requirements to collect data, legitimate interests and a number of other reasons ( see Art. 6 GDPR).
Some EEA member states also require that companies notify national data protection authorities or appoint data protection officers. Lothar Determann and Denise Lebeau-Marianna, Getting a Grip on International Data Protection Authority Filings, 10 BNA Privacy & Security Law Report 639 (2011) (10 PVLR 1430, 10/3/11); Lothar Determann and Christoph Rittweger, German Data Protection Officers and Global Privacy Chiefs, BNA Privacy & Security Law Report (2011) (10 PVLR 639, 4/25/11). Under the GDPR, more companies will have to appoint data protection officers throughout the EEA and notification requirements may be reduced or abolished (Art. 37 and recital 89 of the GDPR respectively).
2. The Second Hurdle: Disclosures. Even if a company is perfectly in compliance with local data privacy laws (first hurdle) and it also meets the specific requirements for transfers outside the EEA (third hurdle, discussed next), it is not a given that such a company may disclose a particular item of personal data at all to another data controller. Even a wholly-owned, closely-held subsidiary that discloses personal data to its parent company in the same or in another EEA member state has to justify the disclosure. Thus, as a second hurdle to international data transfers, the company in the EEA has to make a case for why the disclosure is permitted despite the general prohibition on processing. This second hurdle is often overlooked by companies focusing on the first and third hurdle.
As with respect to any other processing, companies can theoretically justify disclosures by obtaining valid consent or demonstrating a necessity to transfer data in order to perform a contract with the data subject or comply with local laws. But, data subjects tend to be reluctant to agree to data disclosures and contractual necessities are often not clearly present to justify transfers. For example, an employer needs to collect and process certain personal data to pay its employees, monitor and reward their performance, provide benefits coverage and report and withhold taxes, in accordance with contractual and statutory obligations as an employer. But, it is less clear whether the employer may also disclose employee information to its ultimate parent company, which is a common practice in many multinational groups.
Many multinationals may be able to refer to legitimate interests in this respect ( see Art. 6 (f) GDPR, recital 48 GDPR); specifically, small subsidiaries without human resources department may be able to demonstrate legitimate interests or even a contractual necessity for transfers to a 100 percent parent company that manages payroll and other human resources functions for its smaller subsidiaries. But, a larger subsidiary with stand-alone administrative functions may find it more difficult to justify disclosures, because some of the functions and data could also be kept locally.
There are good arguments that multinational businesses will succeed in showing needs for human resources disclosures regarding some data categories that the U.S. parent company legitimately needs, e.g., for cross-border projects and career management, secondments and employee stock option grants. Also, subsidiaries in the EEA that act as sales representatives for U.S. parent companies should be permitted to disclose customer contact information based on legitimate interests for purposes of enabling the U.S. parent company to conclude and perform sales contracts with customers in the EEA. Similarly, companies may have to share certain customer data with logistics providers (to deliver products) and manufacturers (to support expeditious recalls or warranty support). But, independent resellers, for example, may find it more difficult to justify disclosures of consumer data to unaffiliated suppliers.
Where companies cannot otherwise justify data disclosures, they can also consider an engagement of the recipient company as a mere data processor under an appropriate data processing agreement. Companies do not have to further justify data disclosures to service providers if they concluded a data processing agreement that complies with Art. 28 GDPR. There are good arguments that Art. 28 GDPR constitutes a statutory permission for the processing if requirements are complied with, see Niko Härting, May 10, 2016 CR-online.de Blog; and Lothar Determann, Data Privacy in the Cloud—Myths and facts, 121 Privacy Law & Business 17 (2013); L. Determann, EU Standard Contractual Clauses for Transfers of Personal Data to Processing Service Providers Reassessed , BNA Privacy and Security Law Report 10 PVLR 498 (2011) (10 PVLR 498, 3/28/11).
3. Third Hurdle: Transfers Outside the EEA. Companies have to cross only the two hurdles previously discussed with respect to data disclosures within the EEA or to countries that the European Commission has general declared to assure adequate safeguards, i.e., Argentina, Canada, Israel, New Zealand, Switzerland and Uruguay and others. The same applies with respect to U.S. companies that join the Privacy Shield, based on the adequacy decision of the European Commission of July 12, 2016. But, with respect to any data transfers to other countries outside the EEA or to U.S. companies that do not participate in the Privacy Shield program, companies have to cross a third hurdle, namely the general prohibition on international data transfers.
In this respect, companies in the EEA have a number of different options to make transfers subject to appropriate safeguards or otherwise qualify for derogations or other exceptions ( see Articles 44 through 49 of the GDPR), including the following:
All alternatives come with strings attached, including the following:
1. Consent and contracts.Companies can legitimize many types of data processing and transfers by obtaining valid consent from the data subjects, i.e., the persons to whom the data relates, or by undertaking contractual commitments that necessitate the transfer (Art. 49.1 a) and b) GDPR). Valid consent and necessities under contracts can help overcome each of the three hurdles. But, consent is valid only if it is freely given, specific, informed and unambiguous, and it can be revoked at any time (Art. 4 No. 11 GDPR), which can be challenging to achieve (e.g., in the employment context, employees may be viewed as having limited capacity to freely consent with their employer). The GDPR requires explicit consent for the transfer outside the EEA and requires companies to explicitly warn data subjects about the risks of such international data transfers.
2. Standard Contractual Clauses.If a company within the EEA agrees with a company outside the EEA that the latter will comply with Standard Contractual Clauses approved by the European Commission for data transfers to controllers (Controller SCC 2004) or processors (Processor SCC 2010), then “adequate safeguards” are presumed. Art. 46 para. 2 c) GDPR; Brian Hengesbaugh, Michael Mensik, Lothar Determann, Global Data Transfers and the European Directive—A Practical Analysis of the New ICC Contract Clauses , BNA Privacy & Security Law Report, Vol. 4, No. 6, 2/7/2005, pp. 153-156 (4 PVLR 153, 2/7/05); Lothar Determann, EU Standard Contractual Clauses for Transfers Of Personal Data to Processing Service Providers Reassessed , BNA Privacy and Security Law Report 10 PVLR 498 (2011) .
Currently available Standard Contractual Clauses will be grandfathered under the GDPR unless and until the Commission amends them or the CJEU invalidates the applicable adequacy decision (Art. 46.5 sent. 2 GDPR). In order to enjoy the benefit of the adequacy finding of the European Commission, the parties may not modify the Standard Contractual Clauses in any manner that would contradict, indirectly or directly, the clauses or the data protection rights of the data subjects (recital 109 GDPR). Companies are in principle free to modify the clauses or draft their own agreements from scratch, but such “homemade” agreements are subject to full scrutiny by every EU member state and may trigger various additional requirements to notify or obtain approval from local authorities (which can be time-consuming, costly and difficult to manage). But, companies are generally permitted to add provisions that do not affect the privacy protections in the clauses, such as indemnity rules, without implicating the European Commission's binding decision, as expressly noted in the Standard Contractual Clauses.
3. Binding Corporate Rules. For intra-group data transfers, multinational groups can also submit to Binding Corporate Rules (BCRs), i.e., binding commitments that reflect and safeguards compliance with EU data protection laws on a group of companies. Art. 46.2(b) and 47 GDPR. BCRs cannot legitimize data transfers to unaffiliated entities, such as customers, suppliers, distributors, service providers, civil litigants, government agencies and other entities. Art. 47 para. 2 GDPR sets out the minimum specifications that have to be included in BCRs, including, for example, the structure and contact details of the group of companies, the data transfers or set of transfers (including the categories of personal data), the type of processing and its purposes, the type of data subjects affected and the identification of the third country, etc. Art. 47 para. 1 additionally provides that BCRs must be legally binding and apply to and are enforced by the group companies and expressly confer enforceable rights on data subjects with regard to the processing of their personal data. The European Commission may specify the format and procedures for BCRs. Art. 47 para. 3 GDPR.
4. Approved codes of conducts or certification mechanisms. When the GDPR applies, companies may also become able to rely on codes of conduct that industry associations develop if approved by data protection authorities and granted general validity by the European Commission. Also approved certification mechanisms issued by certification bodies or data protection authorities may provide appropriate safeguards after the GDPR comes into effect (Art. 46.2 e) and f) GDPR in connection with Art. 40 and 42 GDPR).
5. Other options. A few other options apply and companies can mix and match. No one size fits all. Each option presents different advantages and disadvantages in particular scenarios. Notably, with some of these options, companies cannot only address the third hurdle described in part III.3 of this article (international transfer prohibitions), but also the first and second hurdle described in parts III.1 and 2 respectively, i.e., general compliance obligations and disclosure restrictions. The following parts V and VI of this article focus on comparisons, advantages and disadvantages of the different options to legitimize data transfers.
At first sight, the Privacy Shield Principles are more elaborate and rigid than the Safe Harbor Program: In 2000, the Safe Harbor Principles took up 2.5 pages and the Commission's adequacy decision 40 pages in the Official Journal of the EU; in 2016, the Privacy Shield Principles weigh in at 19 pages and the adequacy decision at 112 pages. This increase in word count parallels the growth of EU data protection legislation from the 1995 EU Data Protection Directive on 19 pages to the 2016 GDPR on 88 pages.
More substantively, the Privacy Shield arrangement contemplates annual reviews and updating of the Privacy Shield Principles as well as a number of strengthened or new privacy safeguards such as requirements regarding more detailed privacy notices (calling out details on liability, access rights and dispute resolution), more robust onward transfer contracts and access to such contracts by the Commerce Department, and data minimization, data retention, independent recourse mechanisms at no cost to the individual, as well as publication requirements relating to non-compliance. Companies that voluntarily leave the program must return or delete all previously received personal data or continue to apply the Privacy Shield Principles to such data and recertify compliance on a perpetual, annual basis. If the Commerce Department removes a company from the Privacy Shield Program, the company must delete or return previously collected data (Section 3 of Annex II).
Additionally, the U.S. Director of National Intelligence offered concrete and robust commitments to the EU in 18 page-long undertakings accompanying the Privacy Shield Principles. Privacy Shield Adequacy Decision, L 207/91. Previously, the U.S. President had already significantly reigned in National Security Agency surveillance and U.S. Congress had strengthened privacy protections in the Judicial Redress Act and the USA Freedom Act (repealing the infamous USA Patriot Act) as a reaction to domestic and international concerns regarding mass surveillance revealed by Edward Snowden in 2013. Lothar Determann and Teresa Michaud, U.S. Privacy Redress and Remedies for EU Data Subjects, Bloomberg BNA Privacy & Security Law Report, 14 PVLR 206 (2015) (14 PVLR 2062, 11/16/15); Lothar Determann and Karl-Theodor zu Guttenberg, On War and Peace in Cyberspace: Security, Privacy, Jurisdiction, Symposium 2014: The Value of Privacy , Hastings Constitutional Law Quarterly, 41 Hastings Const. L.Q., 1 (2014).
Companies can assess the available options (see III.3 above) based on various different criteria, including the following dozen:
1. Substantive compliance obligations. The Privacy Shield Principles of 2016, the Processor SCC 2010 and the Controller SCC of 2004 were created over a span of 12 years with input from different organizations, including the U.S. Commerce Department and the International Chamber of Commerce. Each compliance vehicle contains substantive terms that are intended to commit U.S. companies to core principles of EU data protection laws, but each document uses different verbiage and nuances, which will affect companies differently depending on their business focus and overall situation. For example, the Privacy Shield Principles are specific regarding opt-out rights to onward transfers, dispute resolution process, and data retention.
The Processor SCC and Controller SCC contain more generalized descriptions on these issues, although it is expected that these clauses will be updated with more specificity in the coming months to respond to the rigors of GDPR. The specifics of the substantive compliance obligations companies must assume in BCRs will depend on what they can achieve in their negotiations with authorities for approval of their BCRs. With respect to emerging solutions, such as Codes of Conduct, the specifics of the substantive requirements will depend on private sector proposals and views of data protection authorities in the approval processes. Where companies rely on consent or contractual necessities, they define their substantive compliance obligations in the terms they present to the data subjects in contracts and privacy notice forms, although the sufficiency of such terms may be subject to review and approvals of authorities depending on national rules.
2. Flexibility and configurability. When companies are able to obtain consent or contractual agreements with data subjects, they may have the great advantage that they can tailor the scope of the consent or contract to their particular situation and avoid having to adapt to the more regulated frameworks of the Standard Contractual Clauses, the BCRs, the EU-U.S. Privacy Shield, Codes of Conduct or certification schemes.
But, consent is valid only if consent is freely given, specific, informed and unambiguous. For international transfers outside the EEA consent additionally has to be explicit. It is not always practical to meet these requirements. Brian Hengesbaugh, Michael Mensik, and Amy de La Lama, Why Are More Companies Joining the U.S.-EU Safe Harbor Privacy Arrangement, International Association of Privacy Professionals (IAPP) Privacy Advisor (January 2010). Some types of businesses do not have any direct relationship with data subjects and they can therefore not approach the data subjects with a request for consent, e.g., cloud, SaaS or outsourcing service providers and companies that host data or websites to which others submit information that may include personal information on EU residents.
Businesses might also have difficulties meeting the “voluntariness” requirement: For example, the data protection authorities in most EEA member states presume that employee consent is coerced, hence involuntary, given the typical imbalance of power in the employment relationship.See for example, Art. 29 Working Party, WP 193, accessed August 7, 2016; L. Determann and L. Brauer, Employee Monitoring Technologies and Data Privacy– No One-Size-Fits-All Globally , 9 The IAPP Privacy Advisor, 1 (2009); L. Determann, When No Really Means No: Consent Requirements for Workplace Monitoring, 3 World Data Protection Report 22 (2003) (2 PVLR 1117, 9/29/03).
Additionally, recital 43 GDPR states that consent should not provide a valid legal ground where there is a “clear imbalance” between the data subject and the controller, not providing examples for “clear imbalance.” The term “clear imbalance” might be interpreted as already interpreted by many data protection authorities in employment relationships, however, it might also be extended to other cases, e.g. if a consumer concludes a contract with a company. In such case relying on consent could become an unreliable solution. Most companies also find it challenging obtain and maintain consent with sufficient specificity, as technology, business practices and purposes change constantly and force companies to update consent forms frequently.It is worth noting that companies are required to notify data subjects about the company's data processing practices in any event, whether or not the company relies on consent (see Art. 13, 14 GDPR). Yet, data protection authorities and courts might apply higher standards of scrutiny with respect to the amount of information that is required to render consent informed and explicit, compared to a situation where a particular data processing activity is permissible without consent and notification of data subjects is required in the general interest of transparency. Another important consideration is that data subjects can revoke voluntary consent at any time. Therefore, in practice, companies often cannot – or do not wish to – rely on consent to legitimize international data transfers, at least not as the sole compliance measure.
Similarly, contractual obligations vis-à-vis data subjects are not always in place or suited to justify data transfers. Some companies are able to bolster their position regarding data subject consent by additionally creating contractual obligations that in turn create a necessity to engage in certain transfers. For example, if a company contractually agrees with a data subject to retain certain third parties in other jurisdictions to provide services or information, or ship physical items to the data subject, then the company can justify the data transfers to the third parties, as such transfers are necessary to perform under the contract. Some jurisdictions may apply less stringent requirements to online contract formation as they apply to consent under data protection laws, but many European jurisdictions generally empower courts to scrutinize the fairness of clauses in adhesion contracts beyond the standards applied by U.S. law and jurisprudence. See, L. Determann, Notice, Assent Rules for Contract Changes After Douglas vs. U.S. District Court, 12 BNA Electronic Commerce & Law Report 32 (2007) ;L. Determann and A. Purves, The Glue that Holds it Together: Enforceability of Arbitration Clauses in Click-Through Agreements and Other Adhesion Contracts , 14 Electronic Commerce & Law Report (2009) .
3. Geographic and topical coverage. Companies can use consent and contracts with data subjects with respect to all geographies, so these routes are suited to support uniform approaches across geographies. Uniform topical coverage is more difficult, because consent and contractual undertakings are often not an option in certain scenarios—for example, in the human resources context (where freedom to contract is limited and consent deemed coerced) or due to a lack of direct contact with data subjects or a business context that does not induce data subjects to grant consent or conclude contracts.
Companies can also use data transfer agreements and data processing agreements incorporating the Standard Contractual Clauses to legitimize transfers of EEA data to any other country. But, the Standard Contractual Clauses require a significant amount of detail regarding data processing practices and purposes to be included in Appendices to the data transfer agreements, which causes many companies to prepare specific agreements for specific scenarios and this in turn can result in a multitude of limited transfer agreements as opposed to one comprehensive set of rules for all geographies and topics. However, since under the GDPR companies are obligated to prepare “records of processing activities” which must contain, inter alia, the purposes of the processing, a description of the categories of data subjects and of the categories of personal data, the categories of recipients and identification of third countries in case of international data transfers (Art. 30 GDPR), companies are required to map their data anyway.
BCRs, codes of conduct and certification schemes could theoretically provide a comprehensive set of rules and cover any jurisdiction and all data categories. However, BCRs are for intra-group transfers of personal data, i.e., between affiliated companies only, and not for transfers of personal data to and from business partners, such as suppliers, customers, distributors, etc. (Art. 47.1 GDPR). And, companies may logically be reluctant to implement truly global BCRs, because commitments required with respect to EEA data may not be appropriate or affordable for data from other regions or countries.
The EU-U.S. Privacy Shield framework can be used to transfer data of any nature, intra-group and vis-à-vis third parties, but it only addresses data transfers from the EEA to the U.S. (or via the U.S. to third countries). It does not cover transfers from the EEA directly to countries other than the U.S..
4. Implementation process and timing. Consent forms and contractual undertakings are relatively easy to prepare and implement in online click-through scenarios, but offline, negotiation and dealing with concerns or push-back raised by data subjects can take a significant amount of time and efforts.
Implementing data transfer agreements based on the Standard Contractual Clauses does not typically take companies a lot of time in the intra-group context, because the content of the contracts is largely prescribed and translations in all major European languages are available (courtesy of the European Commission). But, companies with many subsidiaries or particularly dynamic corporate structures (think: acquisition or spin-off sprees) view the implementation of data transfer agreements as a more significant burden, particularly if local operations are reluctant to execute the agreements. Moreover, getting unaffiliated business partners to sign the forms can be challenging (although, more and more sophisticated companies accept the format and wording of the “official” Standard Contractual Clauses as a necessity).
The greatest administrative burden under the Data Protection Directive used to be and is currently associated with implementing BCRs. Firstly, companies have to decide on the content of the rules “from scratch”: although there is guidance from authorities, no official templates are available, and the publicly available precedents do not necessarily suit all companies. List of companies for which the BCR cooperation procedure is closed; list with links to some approved BCRs. Moreover, BCRs require approval from data protection authorities in every EEA member state. Currently, 21 countries are part of the mutual recognition procedure: Austria, Belgium, Bulgaria, Cyprus, Czech Republic, Estonia, France, Germany, Iceland, Ireland, Italy, Latvia, Liechtenstein, Luxembourg, Malta, the Netherlands, Norway, Slovakia, Slovenia, Spain and the U.K.
Such mutual recognition procedure is quite burdensome and cost intensive. However, under the GDPR at least the content requirements for BCRs are set-out: BCRs must (i) be legally binding, apply to and be enforced by the group of companies, (ii) expressly confer enforceable rights on data subjects with regard to the processing of their personal data and (iii) fulfill certain specifications outlined in Art. 47.2 GDPR (see Art. 47.1 GDPR). Also, the competent supervisory authority must approve BCRs in accordance with the consistency mechanism, i.e., BCRs will formally be recognized across the EU. The competent authority will be the supervisory authority of the main establishment (Art. 56 GDPR). The supervisory authorities must cooperate with each other through the consistency mechanism (Art. 63 GDPR). It remains to be seen, whether the approval process of BCRs will be less burdensome and time consuming under the GDPR.
By contrast, a registration under the EU-U.S. Privacy Shield framework is relatively easy (online filing only) and most EEA member states did not require companies to seek prior approval with respect to data transfers to U.S. Safe Harbor participants, a privilege they may extend to the EU-U.S. Privacy Shield program as it is also an “adequacy” decision. U.S. companies will want to take sufficient time before they submit to the EU-U.S. Privacy Shield framework, because they should conduct the required self-assessment and prepare the relevant due diligence documentation in order to be prepared to answer any questions from Commerce and/or any enforcement actions by the U.S. Federal Trade Commission (FTC).
Such a self-assessment should be undertaken and documented in the context of any of the compliance options; in fact, the ICC Controller Clauses expressly require due diligence efforts as well. But, companies will have to consider the dynamics and implications of needing a corporate officer to sign a declaration regarding compliance and self-assessment, a possible review process by third party validators or dispute resolution process providers as well as the heightened scrutiny from Commerce and/or the FTC regarding applications to join the EU-U.S. Privacy Shield and onward transfer agreements.
It remains to be seen how fast the newly introduced possibility to adduce appropriate safeguards to legitimize data transfers through approved Codes of Conduct can be implemented (it requires approval from the data protection authority and a European Commission decision). The same applies to the new certification mechanisms which require approval from the data protection authority or from the certification bodies.
5. Ongoing administration. The EU-U.S. Privacy Shield program requires annual re-certification, but changes in the practical details of data processing do not have to be notified to the U.S. Commerce Department. Certification schemes per Art. 42 of the GDPR will be limited to a maximum period of three years and may be renewed. Other compliance options require actions in case of changes ( e.g., additional consent, updating contracts or modifying BCRs), but no annual or routine actions in the absence of changes. Approved Codes of Conduct may or may not require ongoing administration, depending on their individual rules.
6. Onward transfers. As companies decide on a mechanism to legitimize their data transfers from the EEA, they should look ahead and consider the implications of each compliance option for the data recipient outside the EEA and its ability to share data originating from the EEA with onward transferees, such as external service providers, business partners, government agencies ( e.g., in case of investigations, litigation or reporting obligations) and other non-EEA affiliates ( e.g., subsidiaries in North or South America or Asia).
a. Onward transfer based on consent. If a U.S. company receives the EEA data based on valid consent or a necessity to perform contractual obligations, the U.S. data importer does not assume any specific obligations, except as the U.S. data importer may commit to in the context of the consent, or otherwise agree contractually with any data exporter in the EEA. In the absence of contractual obligations, the U.S. data importer would not face any direct restrictions under EU data protection law. Of course, particularly in the context of HR data transfers, the U.S. data importer would be indirectly affected by compliance obligations on its EEA-based subsidiaries, the data exporters. The European data exporters should not allow the onward transfers, unless the data subjects have been informed as necessary, and the transfers are covered by the scope of the consent or necessity to perform contractual obligations.
b. Onward Transfers based on Standard Contractual Clauses . U.S. companies that agree to the Controller SCC 2004 and Processor SCC 2010 must pass on their obligations verbatim to onward transferees. This is fairly easy to achieve in the intra-group context, but can be difficult or impossible with respect to some categories of unaffiliated onward transferees, e.g., in the context of litigation pre-trial discovery, if a foreign government demands access to EEA data in the context of investigations (this will likely not be different under the GDPR), if a foreign regulator or law enforcement authority seeks to compel access or when dealing with business partners that do not otherwise have to or want to submit to EU data protection laws. Brian Hengesbaugh and Michael Mensik, Global Internal Investigations: How To Gather Data and Documents Without Violating Privacy Laws , BNA International World Data Protection Report, Volume 8, Number 7 (July 2008) . But, since many internationally active business have become familiar with the workings of EU data protection laws, it seems to become easier and easier to obtain signatures on onward transfer agreements that reference the Standard Contractual Clauses, particularly data processing agreements based on SCC 2010. The Model Controller Contracts tend to be relatively easy to implement with respect to group-internal data transfers and usually do not bring about insurmountable obstacles with respect to onward transfers to unaffiliated entities.
Under the Model Controller Contract, the data importers outside the EEA are not explicitly obligated to implement any particular mechanisms with respect to onward transfers to data processors. But, for various practical reasons, data importers outside the EEA have to sign onward transfer agreements with data processors anyhow. Firstly, onward data recipients cannot be qualified as mere data processors unless they are contractually obligated to act only on behalf, in the interest and per instructions of a data controller. Secondly, the data importer assumes full responsibility for all actions and omissions of its agents under the Model Controller Contract and therefore, has to pass on compliance obligations and allocate commercial risks contractually to onward transferees.
c. Onward Transfers under EU-U.S. Privacy Shield. If a U.S. company registers with the EU-U.S. Privacy Shield, then such U.S. company would be primarily obligated to ensure that it provides notice and choice to data subjects prior to transferring data to other data controllers. In order to provide data subjects with “choice”, the U.S. company would have to obtain affirmative consent regarding sensitive data (i.e., personal information specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or information specifying the sex life of the individual); with respect to other data, an opportunity to opt out would suffice. An exception for intra-group transfers does not exist, so companies may have to offer “choice” also for data transfers to affiliates unless they enter into group-internal data processing arrangements or rely on exceptions under EU data protection laws per Privacy Shield Principle I.5. Privacy Shield Adequacy Decision, L 207/49.
EU-U.S. Privacy Shield registrants are permitted to transfer data to data processors subject a contract and must (i) transfer personal data only for limited and specified purposes; (ii) ascertain that the data processor is obligated to provide at least the same level of privacy protection as is required by the Privacy Shield Principles; (iii) take reasonable and appropriate steps to ensure that the data processor effectively processes the personal information transferred in a manner consistent with the data controller's obligations under the Principles; (iv) require the data processor to notify the data controller if it makes a determination that it can no longer meet its obligation to provide the same level of protection as is required by the Principles; (v) upon notice, take reasonable and appropriate steps to stop and remediate unauthorized processing; and (vi) provide a summary or a representative copy of the relevant privacy provisions of its contract with that agent to Commerce upon request (see Annex 2, II, 3 b) of the EU-U.S. Privacy Shield). These requirements are stricter than onward transfer obligations under the Safe Harbor Principles.
d. Onward Transfers under BCRs. If a multinational business implements BCRs, it could cause all non-EEA based entities to submit to the BCRs and thus cover all direct and onward data transfers within the group. But, the BCRs do not cover any data transfers outside the group. Thus, groups with BCRs would still have to implement other compliance mechanisms for any direct or onward data transfers to non-affiliated companies. If a group commits in BCRs that it will require onward transferees to adopt the same BCRs or accept them with respect to specific data transfers, such a requirement may be very difficult to satisfy in practice as vendors and other unaffiliated third parties will be hesitant to review, understand and commit to another organization's custom BCRs.
e. Onward Transfers under approved codes of conduct or approved certification mechanisms. Approved codes of conduct or approved certification mechanisms, require binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects' rights.
7. Submission to foreign law and jurisdiction. The consent and contractual undertaking route do not present companies with any specific restrictions as to choice of law or jurisdiction (but general public policy limitations apply, e.g., with respect to consumers and employees). The Standard Contractual Clauses, on the other hand, require the data recipients to submit to the data protection laws and the jurisdiction of the courts of the EEA member state from where the European company transfers the data and data subjects have a third party beneficiary right to enforce the data transfer agreements in a local court. With respect to BCRs, the data protection authorities in each EEA member state where the BCRs will be implemented may demand similar protections in connection with the approval process. Alternatively or additionally, data subjects could try to enforce the Standard Contractual Clauses and BCRs in U.S. courts.
The EU-U.S. Privacy Shield framework is largely a creation of U.S. law and enforcement will likely occur primarily in the U.S.: Commerce will scrutinize submissions, handle challenges and possibly request information from organization that register. Also, the FTC is the primary enforcement authority for Privacy Shield violations. And, at least in principle, the FTC, State Attorneys General and private plaintiffs can bring actions on unfair competition, misrepresentation and breach of contract theories in connection with any compliance vehicles.
Courts in the U.S. and EEA courts may take jurisdiction based on traditional rules of civil procedure. Also, with respect to HR data, U.S. companies have to submit to the jurisdiction and audits by EEA data protection authorities, even in the context of the EU-U.S. Privacy Shield program (Annex II, 5.d, Role of Data Protection Authorities of the Privacy Shield Adequacy Decision).
8. Enforcement risks. Regarding Standard Contractual Clauses and BCRs, enforcement actions have so far not yet publicized—neither in the U.S. nor the EU. In the relatively few enforcement cases involving data transfers from the EEA to other countries, the European Data Protection Authorities have so far preferred to take action against the data exporter, i.e., the local entity that was fully obligated to comply with local data protection laws anyhow. At the same time, the validity of the Standard Contractual Clauses themselves are currently subject to scrutiny and may be modified by the Commission proactively or struck down in a similar manner as the Commission decision regarding Safe Harbor.
With respect to the U.S. Safe Harbor program, on the other hand, the FTC had brought more than two dozen enforcement actions and companies that participated in the program have also been subject to challenges to the program itself in Europe. Brian Hengesbaugh, Lothar Determann, Amy de La Lama, and Michael Egan, U.S. Federal Trade Commission Is Serious About Enforcement of the U.S.-EU Safe Harbor Framework , Baker & McKenzie LegalBytes Special Edition (February 2014). The U.S. Commerce Department and the FTC have committed to enforcing the Privacy Shield more rigorously than the Safe Harbor Program in the U.S. and challenges to the program itself are expected in Europe. Therefore, and based on experiences with the Safe Harbor program, some U.S. companies are concerned about potentially greater risks of enforcement actions if they join the Privacy Shield than if they rely on other compliance options.
9. Public relations and business benefits. In the early years of the U.S. Safe Harbor Program, U.S. companies advertised their registration on consumer-facing websites, touted their registration status in whitepapers on privacy-compliance, celebrated the program in communications to employees in the EU and benefitted from the ability to “check the box” in responses to requests for proposals. More recently, the U.S. Safe Harbor Program was increasingly criticized in Europe and U.S. companies started to tone down their certification announcements. U.S. companies that are in the business of hosting or processing data for others ( e.g., outsourcing service providers, software-as-a-service companies) were expected to register for Safe Harbor and will likely be expected to register also for the EU-U.S. Privacy Shield program, and customers will unlikely see an extraordinary effort or benefit in such a registration (but take it as a given).
U.S.-based cloud or processing services providers will also likely not worry much about signing up, because the EU-U.S. Privacy Shield Principles and EU data protection laws generally do not demand materially more in terms of substantive compliance than what are otherwise required in their services agreements. U.S.-based data processing service providers are also expected to agree to data processing agreements based on the Standard Contractual Clauses 2010. Companies that are not pressured by customers to sign up for the EU-U.S. Privacy Shield and do not want to expose their compliance approach to the public eye might decide not to join the Privacy Shield at this time, and implement data transfer and data processing agreements only.
10. Stability. The EU-U.S. Privacy Shield will be reviewed and possibly renegotiated annually by the European Commission and Commerce. SCC are currently challenged. BCR requirements constantly evolve. Requirements for Codes of Conduct and Certifications are still in the process of being developed. Data subjects can revoke their consent to voluntary data processing at any time. Currently, none of the options offer a great degree of stability.
10. International Interoperability and non-EEA Data. Most U.S.-based multinationals are not only dealing with personal data and compliance requirements from the EEA. Increasingly, other jurisdictions are enacting or updating data protection laws and introduce additional or different requirements. A company that registers under the EU-U.S. Privacy Shield would not benefit from such a registration with respect to personal data or requirements from other jurisdictions, given that the program applies only to data from the EEA and only to U.S. companies. But, companies that participate in the Privacy Shield program should be able to leverage their self-assessment documentation and privacy notices. Consent, data transfer and processing agreements, and BCRs can also be leveraged for many other jurisdictions and modified versions of SCC-based data transfer agreements or data processing agreements are also useful internationally.
12. Formalities. The EU-U.S. Privacy Shield requires a formal compliance declaration from an officer of the company in connection with the initial certification and annual recertification. Participating companies are listed on a public website maintained by Commerce, even if and after they withdraw from the program.
For the execution of contracts based on the SCC 2004 and 2010 and any amendments, a signature from authorized company representatives is also required, but these do not have to be corporate officers. Many multinational enterprises work with centralized powers of attorney to facilitate the execution of routine contract amendments, e.g., when addresses of entities change. Companies do not have to publicly disclose their contracts.
Signature, publicity and other formal requirements relating to BCRs, Codes of Conducts and Certification vary from country to country. The European Commission publishes a list of companies that have obtained approvals for BCRs.
Companies that rely on consents or contracts with data subjects do not have to comply with formal signature requirements and are not added to published lists.
No one size fits all. Each company (and business unit within decentralized organizations) has to assess its own data flows, business needs and risk sensitivities, and this may cause organizations to select different compliance mechanisms for specific countries, business lines, data categories, use cases and other scenarios. With respect to cross-border data transfers from the EEA, multinational businesses must ensure that all three hurdles are taken. When companies choose an appropriate compliance mechanism to establish adequate safeguards for data importers and onward transferees outside the EEA, they should carefully analyze their particular situation, for example, regarding data categories (sensitive or non-sensitive), data flows, processing needs, ability to obtain contractual justifications or consent from data subjects, ability to implement contracts in the entire data transfer chain and implications of a particular compliance mechanism for various other compliance steps and challenges (such as disclosure requests in the context of litigation or government investigations, whistleblower hotlines, employee monitoring, etc.). None of the available options is superior for all companies and all circumstances. But, companies that assess their particular situation and all applicable PROs and CONs carefully will often identify a clear favorite for particular data streams and business lines.
Copyright © 2016 The Bureau of National Affairs, Inc. All Rights Reserved.
Notify me when updates are available (No standing order will be created).
Put me on standing order
Notify me when new releases are available (no standing order will be created)