Cross-Border Data Transfers: Privacy Shield Is About to Go Live

Ending months of speculation, on July 12, 2016, the European Commission adopted a revised version of the EU-U.S. Privacy Shield announced earlier this year. Why should U.S. business enterprises care about the Privacy Shield and what should they do about it? We answer those questions here.

European data privacy laws are much stricter than those in the United States. For example, in the United States we typically protect sensitive information such as data about an individual’s health or financial account information. In Europe, all “data about an identified or identifiable individual” is protected. This includes things such as an individual’s address and phone number.

European law requires that personal data of European citizens must have European-style protections wherever it goes, and the law provides penalties for those who move European personal data out of Europe without ensuring those protections are in place.

The privacy law of the United States and many other countries does not measure up to European requirements. Without additional mechanisms to provide European-style protections to European personal data, transfers to the U.S. and other countries violate European law. And transfers do happen. Even something as simple as including European citizens’ personal data in an employee directory (such as Microsoft Outlook Enterprise) constitutes a transfer.

For nearly two decades, the U.S. Safe Harbor (a self-certification process regulated by the U.S. Department of Commerce) was available to provide a safe landing place for European personal data in the U.S. That ended October 5, 2015, when the European Court of Justice invalidated the Safe Harbor. After months of negotiation, and leaving international data transfers in legal limbo, the newly-announced Privacy Shield will provide a replacement for the Safe Harbor.

The basic steps to enjoy Privacy Shield benefits are relatively straightforward:

• Self-certify with the U.S. Department of Commerce (which begins taking applications August 1, 2016); and
• Publish a Privacy Shield privacy policy that embodies the Privacy Shield Privacy Principles (human resource data will be subject to more stringent guidelines).

Achieving substantial compliance with Privacy Shield and European data protection rules will be much more complicated. For example, enterprises will need to establish internal policies and procedures that implement Privacy Shield Privacy Principles such as the following.

• Notice and Choice: Enterprises will need to provide substantially more information about what they intend to do with the personal data they collect. Moreover, if they seek to use the data for any new purposes, they will need to provide an additional notice and seek the individual’s consent (and Europe relies on an opt-in for consent, not an opt-out);
• Onward Transfer: The enterprise will be liable for any onward transfer of the data (for example to an HR service provider) and must revise agreements with any third parties to ensure that they adhere to the privacy safeguards that the enterprise has put into place. The good news is that for any enterprise that files an application for self-certification by September 10, 2016, it will receive a nine-month grace period to revise these contracts;
• Security: Enterprises will need to implement specific measures including access controls, technical and administrative safeguards, to protect EU personal data;
• Access: Individuals will have the right to access their personal data and ensure that it is accurate; and
• Dispute Resolution: Individuals also have the right to challenge an enterprise’s data protection practices—potentially bringing an action in Europe.

How effective will the Privacy Shield be? That’s a difficult question, but the answer appears to be that it will be effective until it is not. There were plenty of critics of the new framework, including an influential committee of European Data Protection Authorities. Privacy Shield is certain to face legal challenges in the near future that could once again invalidate this new framework. But, in the meantime, it provides a straightforward way of again complying with European data privacy law for thousands of U.S. enterprises.

Privacy Shield is just one of several mechanisms for complying with European data privacy law. Privacy Shield only covers transfers to the U.S. If an enterprise transfers European personal data: (i) from Europe to some other country whose law does not contain adequate protections; or (ii) transfers the European personal data from the U.S. to such other country (even though the European personal data initially landed safely in the U.S.), Privacy Shield will not cover those transfers.

Other mechanisms include so-called Standard Contractual Clauses (sometimes called “model clauses”) and Binding Corporate Rules. Standard Contractual Clauses putatively allow transfers anywhere in the world. To put them in place, the enterprise and its affiliates and/or trading counterparties execute the appropriate set of clauses from among the three EC-approved sets and then comply with them.

On the other hand, Binding Corporate Rules are a single set of binding, enforceable rules applied across various entities of a corporate group that have been submitted to, and approved by, European regulators. Given their complexity and long approval process, these are most appropriate for large, multinational enterprises.

Finally, there are also several exceptions to the prohibition on transfer of data including if the data subject “has unambiguously given his/her consent to the proposed transfer” and, in certain instances, when it is necessary for the performance of a contract between the data subject and the enterprise.

Given the recent enforcement actions by European data regulators and the benefits of applying for certification right away, enterprises can no longer rely on a wait-and-see approach to cross border data transfers. Enterprises must immediately conduct a thorough, and privileged, review of their current data protection practices and choose the data transfer option that makes the most sense for them.

The bottom line:

1. In most cases, if an enterprise moves personal data out of Europe and to the U.S., it makes sense for the enterprise to sign up for the Privacy Shield. This is especially true if the enterprise was previously a participant in the Safe Harbor program.
2. Even with a new replacement for the Safe Harbor, enterprises need to be sure that any European personal data that is transferred out of Europe has European-style protections wherever it goes. Based on recent events, it appears that Standard Contractual Clauses and Binding Corporate Rules are the most popular and effective ways to make that happen.
3. Fully-informed consent by the data subject to the transfer of personal data can also be effective and enterprises should pursue it whenever possible. European law regarding what constitutes effective consent is always fluctuating (and will change to become tougher under the new European General Data Protection Regulation in 2018) and even those enterprises that pursue and obtain consents would do well to have one or more backup means of assuring compliance, like the Privacy Shield, Standard Contractual Clauses, or Binding Corporate Rules.

For more information on this topic, please contact the authors of this alert, Stephen Tupper at (248) 203-0895 or stupper@dykema.com, Aaron Charfoos at (312) 627-2573 or acharfoos@dykema.com, or any other members of Dykema’s Privacy, Data Security & E-Commerce Practice Group.