A couple of days after expiry of the 31 January deadline, political agreement has been reached for a new arrangement for data transfers from the EU to the US, to be known as the “EU-US Privacy Shield” (aka Safe Harbor 2.0).
This follows the European Court of Justice decision in October 2015 in the Schrems case that the (old) Safe Harbour arrangement was invalid.
The new arrangement will provide stronger obligations on US companies to protect the personal data of Europeans and stronger monitoring and enforcement by the US FTC.
To facilitate the data flows, the US has been forced for the first time to give a commitment that access by US public authorities to the personal data of EU citizens will be subject to clear conditions, limitations and oversight. The US has also given an assurance that it will not conduct mass or indiscriminate surveillance of Europeans.
US companies wishing to import personal data from Europe will need to commit to robust obligations on how personal data is processed and individual rights are guaranteed. The Department of Commerce will monitor that companies publish their commitments, which makes them enforceable under US law by the FTC.
It is very common for EU based subsidiaries of US groups to transfer HR data to the US parent. Under the EU-US Privacy Shield any US company handling HR data from Europe will have to commit to comply with decisions by European DPAs.
In addition, Europeans who consider that their data has been misused will be able to raise any enquiry or complaint with a dedicated new Ombudsperson.
While it is remarkable to reach agreement on such matters within such a short space of time, underlining the political urgency, it’s not all done yet. The EU have to prepare a draft “adequacy decision” in the coming weeks. And the US have to put in place the new monitoring mechanisms and new Ombudsman. We continue to watch the space!
Meanwhile, bear in mind that Safe Harbor / the EU-US Privacy Shield is not the only solution to data transfers from the EU to the US and we continue to work with many companies to put in place other solutions, such as contracts based on model clauses or binding corporate rules.
First proposed in January 2012, agreement has finally been reached between the European Commission, the European Parliament and the Council (the so-called ‘trilogue’) regarding a new General Data Protection Regulation (GDPR).
Current data protection rules are based on the 1995 Data Protection Directive, which predates mainstream internet, social media, big data, the cloud and other advances in technology which shape the way business operates today. It’s a classic case of legislation not keeping pace with technological development; its overhaul is well overdue.
A key benefit of the GDPR will be a single harmonised data protection law covering the whole of the EU. At present, each EU state has implemented its own version of the 1995 Directive and differences can apply in different member states.
The main highlights are summarized as follows:
A stricter regulatory environment
Reflecting ever increasing concerns about how personal data is used in the digital economy, and the continuous flow of news reports about data security breaches, the GDPR imposes a much higher burden of compliance on business. Specific points include:
Fines – the maximum fine for breach of the GDPR is to be set at 4 per cent. of a company’s worldwide turnover. Currently the maximum fine under the DPA is £500,000. This alone should be enough to put the GDPR onto every Board’s agenda.
Easier access to data: individuals will have (and businesses will be required to provide) more information on how their data is processed and this information should be available in a clear and understandable way.
Consent – a new more expansive and specific definition of consent requires that it must be a “freely given, specific, informed and unambiguous indication of his or her wishes” by which the data subject, either “by a statement or by a clear affirmative action”, signifies agreement to personal data relating to them being processed.
Additional administrative burden – businesses must keep a record of any data processing activities under their responsibility (referred to as documentation) and must carry out data protection impact assessments (DPIAs) if they are processing date using new technologies and this is likely to result in a high risk to personal data.
Rules for innovation – the regulation requires that data protection safeguards are built into products and services from the earliest stage of development (privacy by design). Privacy-friendly techniques such as pseudonymisation are encouraged by the GDPR, to allow the benefit of big data innovation while protecting privacy.
Data protection officers – companies will be required to appoint data protection officers if they process sensitive data or collect information from consumers on a large scale. This will be an additional cost to many companies, although there is an exemption applicable to SMEs – see below.
Data processors – the GDPR treats data processors as data controller if they process personal data otherwise than in accordance with the data controller’s instructions and subjects data to processors fines for breaches of the GDPR; under current rules, in general, only the data controller is responsible for compliance.
Data breach notification – companies and organisations must notify the national supervisory authority (that’s the ICO in the UK) of serious data breaches as soon as possible so that users can take appropriate measures.
As well as the above, the new rules strengthen existing rights to include:
a right to data portability – the GDPR will make it easier for consumers to transfer personal data between service providers such as social network platforms and SaaS service providers;
right to be forgotten– EU citizens will have a stronger right to require that their data is deleted provided that there are no legitimate grounds for retaining it, which may require a business to rethink its current policy on data retention and deletion.
Impact on non-EU businesses – the new rules will apply to companies who do not have a physical presence in the EU but offer services in the EU and collect data about EU data subjects. This will, for example, affect many US companies that provide services into the EU.
International data transfers – the position regarding transfers of data outside of the EU is unsatisfactory, highlighted by the recent invalidation of the Safe Harbor framework in respect of transfers to the US. However, it seems that the position under the GDPR will be largely unchanged from the current position.
One continent, one law – The GDPR will establish one single set of rules for the whole of the EU which will make it simpler and cheaper for companies to do business in the EU.
One-stop-shop – businesses will only have to deal with one single supervisory authority.
Exemptions for SMEs
Under the new rules, SMEs benefit from certain exemptions to reduce the burden of compliance:
No more notifications: the requirement to notify to / register with the ICO is to be scrapped.
Subject access: Where requests to access data are manifestly unfounded or excessive, SMEs will be able to charge a fee for providing access.
Data Protection Officers: SMEs are exempt from the obligation to appoint a data protection officer insofar as data processing is not their core business activity.
Impact Assessments: SMEs will have no obligation to carry out an impact assessment unless there is a high risk.
Before the GDPR becomes law, the final text must be formally adopted by the European Parliament and Council, which is set to happen at the beginning of 2016.
The new rules will then become applicable across the EU two years thereafter.
This is an update following our earlier item “US Safe Harbor scheme for data transfers ruled invalid” which can be found here.
Article 29 Working Party opinion
The EU data protection authorities – known as the Article 29 Working Party – have discussed the consequences of the European Court of Justice (CJEU) decision.
First, they have expressed the opinion that data transfers to countries where the powers of state authorities to access information go beyond what is necessary in a democratic society will not be considered as safe destinations for data transfers from the EU. Therefore, the Working Party is urgently calling for open discussions with US authorities in order to find political, legal and technical solutions to enable data transfers to the US. The current negotiations around a new Safe Harbor could be a part of the solution.
These discussions between the EU Commissioner and US authorities are ongoing, but it is not known if and when they will reach a conclusion. However, it is understood that any new agreement on Safe Harbor 2.0 will involve a new “self-certification” system but with greater oversight and enforcement by EU and U.S. authorities than was the case with Safe Harbor 1.0.
In the meantime, the EU data protection authorities are clear that transfers from the EU to the US can no longer be framed on the basis of “Safe Harbor”. Transfers that are taking place under Safe Harbor after the CJEU judgment are therefore unlawful.
How might this affect you?
You could be affected by this decision if, for example, your parent company is a US company and your HR or customer data is held by the parent company on servers in the US.
You could also be affected if you are one of the many EU-based companies that use Software-as-a-Service (SaaS) solutions which are hosted in the US where the service provider is under Safe Harbor – such as Amazon Cloud or Salesforce.
Similarly, if you are a US based vendor to data controllers located in the EU and your customers have relied on your Safe Harbor certification, then you need to put in place an alternative solution in order to maintain your EU business.
Other solutions to Safe Harbor
Logically, other solutions, such as Standard Contractual Clauses and Binding Corporate Rules, could also be challenged on the same ground as Safe Harbor. Indeed, the German DP Authority has issued a paper saying that they will not issue any new authorisations for transfers to the US. In addition, Israel’s and Switzerland’s DP Authorities (both declared by the EU to have “adequate” legal regimes) have said that they will not allow transfers to Safe Harbor registered companies.
However, notwithstanding this, the Article 29 Working Party have expressed the view that Standard Contractual Clauses and Binding Corporate Rules can still be used, although it is possible that their position on this will change.
By way of summary, other possible solutions to Safe Harbor include the following:
Consent – although it is lawful to transfer personal data with the data subject’s consent, in practice this is not a satisfactory solution on which to rely. First, in relation to HR data, consent is not deemed to be effective because of the lack of real choice that an employee has. Second, consent could always be refused or, if given could be revoked (and then what?).
Standard Contractual Clauses – a relatively straightforward solution that can be readily put in place, but suited to ‘one-to-one’ transfers, where there are two separate contracting parties, the data exporter and the data importer. In some scenarios multiple contracts may be needed. In other scenarios, such as where a UK branch of a US co is transferring data to itself, Standard Contractual Clauses may not be effective as there will not be two separate contracting entities unless there is a restructure of some sort.
Binding Corporate Rules – a possible solution for international groups with ‘many-to-many’ transfers. However, to put in place BCRs is a time-consuming exercise.
Restructure data flows – restructure your data flows so that personal data does not leave the EEA and thus avoids the issue. This is a technical solution and not a legal one and may not be practicable for commercial or technical reasons.
Self-assessment – the UK Information Commissioner has indicated that international transfers could be made following a self-assessment of the laws of the country of the data importer. Much depends on the nature of the data that you are transferring and who you are transferring it to and whether the data can be adequately protected after transfer. This may be helpful for purely intra-group transfers (e.g. of HR data) but does not provide a secure legal basis for transfer to US-based external third parties.
What to do
The European Commission is expected to issue guidance on the consequences of the CJEU’s decision shortly.
Meanwhile, businesses that have been relying on Safe Harbor must consider putting in place an alternative solution.
The EU data protection authorities have said that if, by the end of January 2016, no appropriate solution is found with the US authorities, they are committed to taking co-ordinated enforcement action. One the other hand, the UK ICO has said that they will not be taking any hurried action whilst there’s so much uncertainty around but they don’t offer a specific timeframe.
Therefore, if you have been relying on Safe Harbor for transfers to the US, there could be a relatively short time window in which to put in place a new arrangement.
That said, a blog from the ICO counsels “don’t panic and don’t rush to other transfer mechanisms that may turn out to be less than ideal”.
The first step is to re-assess your position. What personal data you are transferring outside the EU, where is it going to, and what arrangements have you made to ensure that it is adequately protected?
If these arrangements include Safe Harbor, which of the alternative mechanisms could you use? In practice, in many cases, the most convenient option will be Standard Contractual Clauses.
If Standard Contractual Clauses are unsuitable for any reason then it is possible that a new Safe Harbor 2.0 will emerge so it is also reasonable in the short term to “wait and see”, especially with further official guidance expected.
Please contact us for assistance with reviewing your options or in respect of data protection compliance generally.
The Court of Justice of the EU ruled on 6 October 2015 that the US Safe Harbor scheme is invalid.
While this outcome is not entirely unexpected, it is a highly significant development for companies involved in the transfer of personal data from the EU to the US, and also for US based service providers providing data services or SaaS solutions to EU based clients. The judgment means that businesses that have relied on Safe Harbor will need to review how they ensure that data sent to the US is transferred in line with the law.
The eighth data protection principle of UK Data Protection Act – reflecting the EU Data Protection Directive – says that personal data shall not be transferred to a country outside the European Economic Area (EEA) unless that country ensures an “adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data”.
You can transfer personal data overseas if you have the individual’s consent. However, this is not a great solution as consent even if given may later be withdrawn and true consent is hard to obtain. In particular, consent will not be valid if the individual – such as an employee of a UK subsidiary being asked to agree that his or her information may be held by the US parent company – has no choice but to give their consent.
Data transfers can be made to any country in respect of which the European Commission has made a ‘positive finding of adequacy’. While countries such as Canada, New Zealand, Israel and Switzerland are on this list, the US is not.
If the transfer is to the US, and the US recipient of the data has signed up to the US Department of Commerce Safe Harbor Scheme under which the transferee undertakes to comply with certain data protection principles, then – until now – this has been recognised as providing “adequate protection”. Over 5,400 US companies are on the Safe Harbor list.
How did this case arise?
An Austrian citizen called Maximillian Schrems was a Facebook user. As for other EU Facebook users, Mr Schrems’ Facebook data was transferred from Facebook’s Irish subsidiary to servers located in the US.
Mr Schrems filed a complaint with the Irish data protection regulator that, in the light of the Edward Snowden revelations in 2013 concerning the mass surveillance monitoring activities of the US intelligence services, and the fact that US intelligence can access personal data of EU individuals, the US does not offer an adequate level of protection against access by US authorities to personal data transferred to the US. Accordingly, Mr Schrems sought an order that Facebook should not transfer his data to the US.
While the Irish authority initially rejected the complaint because Facebook is registered under Safe Harbor, the issue was referred to the Irish High Court and then to the European Court of Justice.
So, what should we do?
The Safe Harbor Scheme is not the only basis on which transfers of personal data to the US can be made. Adequate safeguards can be put in place in a number of ways including:
using approved Model Contract Clauses – intended for one-to-one bilateral transfers from a data controller in the EEA to a data controller or a data processor outside the EEA;
adopting Binding Corporate Rules – intended for multinational organisations transferring information outside the EEA but within their group.
Businesses that have up to now relied on Safe Harbor will need to review the legal basis for future transfers and may need to implement some alternative solution. There is unlikely to be a quick fix, but specific actions may include:
Auditing data transfers and assessing legal risk.
Considering alternative data transfer architectures where possible; for example, using service providers who retain data within the EEA, or other approved countries.
Implementing Model Contracts with any counterparties, such as group companies or cloud service providers.
For intra-group transfers, adopting Binding Corporate Rules within the group.
Reviewing if and where data subject consents are being obtained.
Checking contractual arrangements in case the loss of the Safe Harbor is a breach of data processing obligations, and if so assess what action to take.
The decision creates uncertainty as to how matters will develop in relation to trans-Atlantic data transfers. It also raises the possibility that other data transfer arrangements (such as the standard clauses for controller-controller or controller-processor data transfers) could also be open to challenge and invalidated.
The UK Information Commissioner recognises that it will take them some time for companies to respond. As such, there is unlikely to be any immediate regulatory action taken in respect of companies that have hitherto relied on Safe Harbor and may now, strictly speaking, be in breach of the eighth data protection principle.
Concerns about the Safe Harbor have been expressed for a while. Indeed, negotiations have been taking place for some time between the European Commission and US authorities with a view to introducing a new, more privacy protective arrangement to replace the existing Safe Harbor agreement – sometimes referred to as Safe Harbor 2.0. While these negotiations are well advanced, it is not known if and when they will come to a conclusion.
Meanwhile, further guidance from the EU and UK Regulators is to be expected within the coming days/weeks.
Please contact us for assistance with reviewing your options or in respect of data protection compliance generally.
American Express Company, the parent company of the American Express group, has obtained approval from the Information Commissioner’s Office (ICO) for use of its binding corporate rules (BCRs) throughout the EU, with effect from 28 January 2013. Approval of its BCRs will allow it to transfer personal data from the European Economic Area (EEA) to its affiliates located outside the EEA in compliance with the Data Protection Directive. American Express is the seventeenth company to have obtained BCR approval from the ICO.
The Data Protection Act (DPA), which implements the EU the Data Protection Directive, requires that personal data may only be transferred to a country outside the EEA under specific circumstances. You can only send personal data to a country or territory outside the EEA if that country or territory “ensures an adequate level of protection for the rights and freedoms of individuals when processing their personal data”.
There are a number of possible options by which a data controller can comply with the requirements for the transfer of personal data to countries outside the EEA.
Consent – a transfer to a jurisdiction outside the EEA is permitted where the person whose data is being transferred has consented to the transfer. However, this may not be a secure route to compliance particularly where consent is difficult to obtain reliably, for example, in the case of employees.
Safe harbor framework – for transferring data to a business in the US, compliance by the US company with the safe harbor framework agreed between the European Commission and the US government ensures compliance with the eighth data protection principle.
Standard contractual clauses – for transferring data to other businesses, including US businesses that do not participate in the safe harbor, EU data controllers may rely on contractual requirements they impose on the non-EEA recipients of the personal data. Those contractual requirements are subject to authorisation by the national data protection authority.
Binding corporate rules (BCRs) – for transferring personal data between companies forming part of multinational groups of companies, adequate safeguards can be ensured through the use of BCRs, provided they are specifically approved by the UK authority.
What are binding corporate rules?
BCRs are a set of legally enforceable rules for the processing of personal data that ensure that a high level of protection is applied when personal data is transferred between members of a corporate group.
BCRs are suitable for multinational companies that want to regulate intra-group transfers on a worldwide basis to ensure compliance with the requirements on the transfer of personal data to outside the EEA.
The key features of BCRs are that they are binding within the group and that they confer legally enforceable rights on third parties.
Advantages and disadvantages of BCRs
There are several advantages and disadvantages that a corporate group should consider when deciding whether to implement BCRs to legitimise transfer of personal data outside the EEA.
BCRs avoid the challenges of having to put in place a matrix of contracts between individual group members based on the approved standard contractual clauses.
Once BCRs have been implemented and are operational, they are easier to maintain than a matrix of intra-group contracts. This is especially useful for very large corporate groups which are present in a large number of different jurisdictions.
BCRs provide a significant degree of flexibility for corporate groups as the data protection authorities do not need to approve updates to BCRs. For example, if a new entity is established or there are other changes to the company structure, provided this is notified to the relevant data protection authorities and an accurate record of the changes is kept, no authorisation or approval from the data protection authorities is required.
Implementing BCRs not only raises awareness of data protection compliance within an organisation, but can also cement or improve a group’s reputation for privacy compliance. BCRs can be used also as a selling point as they can demonstrate the group’s commitment to data protection compliance.
BCRs require a high level of protection for personal data and the rules must apply throughout the group even though in some jurisdictions the underlying law may not require such a high level of compliance.
For the policy to satisfy approval requirements, it needs to be made binding within the organisation and individuals must have the right to enforce the rules.
The approval process can be intensive and drawn out. Although the process is becoming easier as authorities gain experience of the mutual recognition system, that system currently does not cover all EU member states so further approvals may be required. Also, some authorities insist on approving specific data transfers even after BCRs are approved.
BCRs apply only to transfers of data within a corporate group. BCRs can therefore not be used to cover international transfers of personal data to companies that are outside the corporate group.
Process for approval of binding corporate rules
BCRs must be submitted to the local data protection authorities in the EEA for approval. Under the current approval process, applicants must submit BCRs to the local data protection authority in each EEA jurisdiction from which it intends to transfer personal data.
Data protection reform
In January 2012 the European Commission published the proposed Data Protection Regulation, which is intended to replace the Data Protection Directive. The draft Regulation gives legislative recognition, for the first time, to BCRs. The European Commission envisages that the Regulation will simplify the process for seeking approval of BCRs as they will only need to be validated by one data protection authority, and once that data protection authority has approved the BCRs, they will be valid for the entire EU without the need for further authorisations at a national level.