Historically, European nations have placed much greater emphasis on data security than the United States, and the European Union has taken a proactive approach to protecting the privacy of its residents. In the mid-1990s, the EU implemented a comprehensive data protection law, called the European Commission’s Directive on Data Protection. Conversely, the United States has taken a piecemeal approach to data protection through specialized legislation providing limited privacy protections, such as the Gramm-Leach-Bliley Act for the financial industry, the Health Insurance Portability and Accountability Act for health care and the Children’s Online Privacy Protection Act for children under age 13.
The different approaches of the EU and the US toward data privacy have created compliance challenges for businesses seeking to transfer personal information about customers and employees from Europe to the US. The EU’s directive broadly defines personal data as “any information relating to an identified or identifiable natural person,” and defines an identifiable person as “one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more specific factors specific to his physical, physiological, mental, economic, cultural or social identity.” The directive prohibits the transfer of personal data to any non-EU country that does not provide “adequate” protection for the privacy of such data. In a nutshell, the test for “adequacy” is whether a country provides data protection laws and safeguards roughly equivalent to those in the EU.
Currently, only 11 countries have been certified by the European Commission to afford adequate protection of personal data,1 and the US is not one of them. Consequently, transfers of personal information from Europe to the US are allowed only if an adequate mechanism to protect the privacy of this information is in place, such as model contractual clauses prescribed by the European Commission or binding corporate rules, developed by companies and approved by the EU member states. These mechanisms have proven to be cumbersome and presented compliance challenges for businesses.
Implementation of these adequacy mechanisms has proven to be burdensome and time-consuming. Thus, the US Department of Commerce negotiated a “Safe Harbor” framework with the European Commission in 2000 to provide a simplified process for the transfer of personal information from Europe to the US. Safe Harbor was a self-certification process under which companies would implement policies and practices consistent with EU data protection principles. Safe Harbor offered a popular and widely-used compliance mechanism for large companies with international operations.
However, in October 2015, in the case of Schrems v. Data Protection Commissioner, the European Court of Justice invalidated the Safe Harbor process.2 The plaintiff, a Facebook user from Ireland, challenged the transfer of his personal information from
Ireland to the Facebook servers in the US. The plaintiff contended that the transfer was unlawful because United States law did not provide adequate protections against the surveillance practices of the US National Security Agency. The ECJ agreed and noted that the US’ national security interests were insufficient to justify what it deemed a significant overreach of the NSA surveillance programs and that these programs were incompatible with the fundamental privacy rights of European citizens. Additionally, the ECJ expressed concern over the inability of European data subjects to seek redress for possible privacy violations in US courts.
The invalidation of the Safe Harbor program has caused a great deal of concern among privacy officials and businesses with European operations. Many are considering implementing other adequacy mechanisms for the transfer of personal data, like model clause agreements or binding corporate rules. While these mechanisms were not expressly invalidated by Schrems, their continuing availability is in question. NSA surveillance programs could be used to access the data of European residents regardless of the manner in which such data is transferred to the US. Consequently, the same concerns that led to the invalidation of the Safe Harbor program likely apply to the other transfer mechanisms.
Schrems prompted the US Department of Commerce to engage in negotiations with EU officials in an attempt to reach a new Safe Harbor agreement. On the day of the publication deadline for this article, the European Commission issued a press release announcing the framework for a successor to Safe Harbor called the EU-US Privacy Shield.3 While the commission did not release the formal agreement or provide specific details, the press release outlines the general elements of Privacy Shield:
The timeframe for approval of Privacy Shield is uncertain, but significant work must be done in the US and EU prior to implementation. For example, each EU member state must review and enact the program and the US must approve the Judicial Redress Act to implement the expanded redress options for European citizens.
Even if the Privacy Shield is not enacted or enactment is delayed, it is not clear that the European data protection authorities will engage in widespread enforcement activities against US companies. Prior to Schrems, the US was the only country with which the EU had negotiated a Safe Harbor program. Other major trade partners with Europe, such as China, India, Russia, Japan and South Korea, needed to use other transfer mechanisms due to the unavailability of Safe Harbor. So while there may be enhanced risks with trans-Atlantic data transfers after Schrems, the invalidation of Safe Harbor essentially equalizes the US with the other “non-adequate” countries from an EU data privacy perspective. However, the invalidation of Safe Harbor has raised awareness of potentially unlawful data transfers and potentially increased the risk of enforcement actions.
Given this uncertainty, what steps should be taken by companies that transfer personal data from Europe to the US? First, they should review their data transfer processes and follow robust privacy protection principles. Second, companies that were using Safe Harbor to transfer data should consider whether to implement an alternative adequacy mechanism, like model clauses or binding corporate rules. Third, companies should review their privacy policies to verify that they truthfully and accurately describe their privacy practices and data protection processes. Finally, interested companies should closely monitor the status of US-EU negotiations concerning the Privacy Shield program and consider efforts to comply quickly upon approval.
1 The European Commission has determined that the following countries provide “adequate” protection for their residents’ personal data: Andorra, Argentina, Canada, Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, and Uruguay.
2 Maximillian Schrems v. Data Protection Commissioner, Case C-362/14 [2015] E.C.R. I ____ (delivered October 6, 2015).
3 Commission Press Release, IP/16/216 (Feb. 2, 2016).
_______________________________
Brian McCormac is a member at the BrownWinick law firm and assists clients with a wide range of legal concerns, including litigation, business transactions, compliance, privacy, and advertising and promotions. McCormac has a diverse background, which includes practicing at an AmLaw 50 firm, serving as a corporate counsel for a multinational corporation, and acting as the general counsel for a regional water utility. He can be reached at mccormac@brownwinick.com or 515-242-2431.
NOTE: Published in The Iowa Lawyer magazine (March 2016).