As we previously reported, this February, United States (U.S.) and European Union (EU) negotiators announced the “U.S.-EU Privacy Shield” as a replacement to the U.S. Safe Harbor. Many U.S. companies relied on the Safe Harbor to transfer data from the EU to the US. The Privacy Shield negotiations were accelerated in response to the European Court of Justice’s judgment late last year declaring the Safe Harbor to be an inadequate framework for transferring such data under Directive 95/46/EC (EU Privacy Directive), based on the Max Schrems case and in response to the Edward Snowden revelations about U.S. government authorities accessing data.
The Privacy Shield’s ultimate adoption requires approvals at different levels within the EU. The approval process will take several months, or even longer, and approval is not a foregone conclusion. Most recently, the EU Article 29 Working Party, a committee of EU data-protection regulators, issued an opinion criticizing the Privacy Shield for failing to adequately restrict U.S. government access to the EU’s citizens data and include important components of the E.U’s data-protection regime. While the Article 29 Working Party’s opinion is not binding on the European Commission (EU), it does potentially slow the momentum for the Privacy Shield’s adoption by member states and the EU itself. It also provides opponents of the Privacy Shield with a powerful weapon to use in the court action they have threatened to bring to challenge the Privacy Shield.
In the interim, U.S. companies who still need to transfer data out of the European Union are looking for answers and alternatives. As a first step, companies should know that the U.S. Department of Commerce continues to administer the Safe Harbor program, both to process new submissions for self-certification to the Safe Harbor Framework and to accept any existing certified company’s annual reaffirmation.
However, several European data protection authorities have encouraged U.S. companies to explore the alternative arrangements available under the EU data protection regime. These alternative arrangements which permit the transfer of data from the EU into the U.S. include:
- Companies can adopt approved “model contract” terms to use as a stand-alone agreement, or as an addendum to or even a section in, an existing agreement. Some EU countries require that these model contracts be registered with the local data protection authority (DPA). Any changes to the model contract terms require approval of the local DPA which can take significant time.
- Data transfers within a company group structure could rely on Binding Corporate Rules (BCR). BCR are a binding set of rules a company agrees to be bound by with respect to personal data. BCR require local DPA approval from the EU country where the data is being transferred. This approval process takes 12-18 months, and perhaps longer as more companies are opting for this arrangement.
- Another option is to keep the relevant data inside the EU. This means that any review or processing of that data must occur within the EU. While this is often the only option in urgent situations, such as an investigation involving employee practices or a regulator issue, it may not be a practical option for some companies. It would require travel and expense.
- Under the EU data-protection regime, the relevant data may be transferred out of the EU to the U.S. with the individual’s consent. However, implementation is tricky as what constitutes valid “consent” is different in each EU country and cannot “coerced.” Many DPAs consider it to be coercion to ask an employee for “consent” to transfer HR data out of the EU.
While we are in this period of transition, data protection authorities have said they will continue to investigate particular cases, particularly in response to complaints, and to exercise their powers in order to protect individuals.
We continue to monitor the developments with the Privacy Shield closely and will update changes as they occur, including development on the EU General Data Protection Regulation (GDPR), which replaces the EU Privacy Directive. The EU Parliament approved GDPR on April 14. The next steps are for the GDPR to be published in the Official Journal of the EU this June. The GDPR enters into force 20 days after such publication. The GDPR will apply, and enforcement will commence, two years from the date of entry into force, expected to be in early July, 2018.