Post-Safe Harbor Practical Privacy Tips
It has been a month since the European Court of Justice (“ECJ”) found that the EU-U.S. Safe Harbor Framework is no longer a valid compliance mechanism to establish adequacy for European companies and individuals to transfer personal information to U.S. companies in the Schrems decision.
The decision was largely driven by concerns in the EU that, under U.S. law, enforcement authorities will have access to personal data of EU citizens for U.S. national security programs. As we have seen, however, is the realization that any exposure to surveillance by the U.S. government is not unique to companies that use the Safe Harbor, but also applies to companies that rely on other compliance methods or “derogations”. In any case, derogations are strictly and narrowly interpreted. While there are other various “derogations” or exceptions that allow for transfers, historically, companies have relied on consent, binding corporate rules or model clause contracts.
For consent to be a valid transfer mechanism, consent must be freely given, specific, informed and unambiguous. The precise consent mechanism may also differ from EU Member State to State but generally falls into the category of a specific “opt-in”. The use of consent is a workable alternative when the consent can be obtained directly from the individual whose data is being transferred. Consent, however, cannot be relied upon by companies with respect to employee data or by companies that receive data from an EU entity because the entity cannot consent on behalf of the individual. Moreover, the UK Information Commissioner’s Office clarifies that the consent derogation is to be used in exceptional circumstances and for one-time transfers, as opposed to continuing transfers of data (https://ico.org.uk/for-organisations/guide-to-data-protection/conditions-for-processing/). Thus companies must carefully consider if consent is a viable method based on the data transfer and customer relationship.
Less than 75 companies have successfully completed and implemented binding corporate rules. The process for binding corporate rules is lengthy taking anywhere from 12 months to 3 years for closure. Binding corporate rules require the approval of the Data Protection Authority (DPA) of each EU Member State from which the data is received, with one DPA serving as the lead managing authority. Given the required coordination and negotiation with the DPA’s that takes time, binding corporate rules are also costly. Realistically binding corporate rules may make sense for large multi-national companies that have offices in various countries. Binding corporate rules usually are not be cost effective for small startups with offices only in the U.S.
Model clause contracts formulated by the European Commission are another option for companies wishing to transfer data from the EU to the U.S. Many U.S. companies have shied away from using such clauses based on their third party beneficiary, liability and governing law provisions. But the clauses are now one of the few options for companies wanting a stop gap measure. If the clauses are used without any change, they may not require approval of each DPA (although with the Schrems decision, this may be changing and some DPA’s may now require approvals). Companies that choose to use model clause contracts to transfer EU data of their existing customers to the U.S. are faced with the administrative burden of obtaining agreement from their existing customers to the contracts.
Unfortunately, some DPA’s have publicly stated that they may not accept model clause contracts. EU Member States such as Germany are being particularly aggressive in indicating that no EU personal data is safe in the U.S. (https://www.datenschutzzentrum.de/artikel/981-.html). On November 6, 2015, the EC issued a communication guidance document to the European Parliament that indicated model clause contracts that are not changed may continue to be relied upon but they still may be challenged by DPA’s to protect the rights of an individual (http://ec.europa.eu/justice/data-protection/international-transfers/adequacy/files/eu-us_data_flows_communication_final.pdf).
Thus some companies are considering or have already implemented a new structure of retaining and hosting EU personal data in the EU. This may not be a realistic option for smaller entities that may not have a budget to revamp their hosting model. Another option would be to not transfer personal data that can identify an individual to the U.S. if the business objective can be achieved with truly anonymous de-identified data.
A case on appeal that is still pending in the U.S. Second Circuit Court of Appeals may throw off any plans to retain EU data in the EU as a measure to guard the data from U.S. law enforcement (Microsoft Corporation v. The United States of America). In that case, Microsoft is fighting against the ability for U.S. law enforcement to obtain email records related to a drug trafficker that is hosted in Ireland. The issue is whether or not a U.S. judge and the Department of Justice can compel a U.S. company to produce evidence stored in Ireland. If Microsoft loses its appeal, European Union based cloud service providers may receive a sales boost as European Union consumers may turn away from U.S. based providers. European Union citizens are already more leery of U.S. based companies’ use of their personal data and a Microsoft loss may allow U.S. law enforcement authorities to have access to data that is not even stored within the U.S.
The decision in Schrems has reinvigorated privacy debates and sparked an interest in data protection. Firms that specialize in plaintiff privacy class action litigation recently set up offices in San Francisco, at the heart of where many of the companies being directly affected by Schrems and other privacy decisions. With the increased focus on privacy and data protection, it will be even more important for companies to develop a compliance strategy and to stay on top of the developments in this area. Despite some criticism of arbitration clauses and class action waivers, it is also worth considering whether to include well drafted and binding class action waivers in consumer and online agreements where companies are collecting data directly from individuals (as analyzed by Paradigm Counsel partner Greg Wrenn. See http://seattlebusinessmag.com/business-corners/law/make-sure-your-online-services-contract-includes-arbitration-clause). The Department of Commerce is continuing to enforce the Safe Harbor so companies that have committed to the Safe Harbor Principles must continue to protect data they have in accordance with the Principles.
EU and U.S. lawmakers must continue to engage in an open dialogue to resolve these issues to come up with a feasible new Safe Harbor and ensure that companies are not faced with a decision of which laws to follow. The EU Commission and the U.S. have been working on a new Safe Harbor since 2013. In light of the Schrems decision, they have committed to work in an expedited manner to agree on a new Safe Harbor by the end of January 2016. In its communication issued on November 6, 2015, the EC prioritizes agreement on a “renewed and sound framework for transfers of personal data to the United States” (http://ec.europa.eu/justice/data-protection/international-transfers/adequacy/files/eu-us_data_flows_communication_final.pdf). For companies that previously relied on the Safe Harbor, companies should consider the options discussed in this newsletter. A company may determine that one or a combination of these options makes sense for their compliance strategy: obtaining consent, entering into model clause contracts, segregating EU personal data in the EU, anonymizing EU data so it is not personal and/or updating their consumer and online agreements with arbitration clauses and class action waivers.