In the wake of last month's landmark decision by the European Court of Justice (ECJ) invalidating the U.S.-European Union (EU) Safe Harbor framework, hundreds of U.S. multinationals, no longer able to rely on the Safe Harbor to lawfully transfer employees' personal data from the EU to the United States, are scrambling to answer the question, "What next?" On November 6, 2015, in a "Communication" to the European Parliament and Council, the European Commission, the EU's executive body responsible for negotiating a replacement data transfer framework, provided some answers.
Safe Harbor 2.0 is on the Horizon
The Communication expresses the Commission's commitment to complete negotiations over a replacement framework for transferring data to the United States, commonly referred to as "Safe Harbor 2.0," "in three months" (i.e., by early February 2016). Recognizing the importance of an efficient and cost-effective method for lawful data transfers, the Commission emphasized that "[t]ransfers of personal data are an essential element of the transatlantic relationship" and noted that "data transfers, increasingly, form an integral part of [transatlantic] commercial exchanges." With respect to negotiations over Safe Harbor 2.0, the Commission described the progress to date as "substantial" and explained that in response to the ECJ's decision, "the Commission has intensified the talks with the U.S. government."
While U.S. multinationals have a fairly good chance of seeing a replacement framework in the near future, they are left to ask: "What to do in the interim?" The Communication discusses several alternative methods to continue to transfer data from the EU to the United States.
Standard Contractual Clauses: According to the Commission, Standard Contractual Clauses (SCCs), also known as Model Contracts, remain a valid mechanism for transferring personal data outside the EU. The SCCs are sets of model contract clauses that the Commission has determined ensure an adequate level of protection for transferred personal data. Two sets relate to the transfers between controllers, such as transfers between EU subsidiaries and their U.S. parent corporation, while another addresses transfers between a controller and a processor, such as transfers between an employer and a service provider.
In an implicit rebuke to some national data protection authorities who have questioned the continued viability of the SCCs after the ECJ's decision, the Communication states that national data protection authorities "may not refuse the transfer of [personal] data to a third country on the sole basis that these SCCs do not offer sufficient safeguards." However, the Commission acknowledges that national data protection authorities may continue to require submission of the SCCs for review to confirm that none of the standard clauses have been modified. The EU countries where Model Contracts must be submitted for review include, for example, Austria, France, Portugal, Romania, and Spain.
Derogations: The Communication highlights the relatively limited value for employers of the "derogations," or exceptions, as an alternative to the Safe Harbor. The two derogations potentially applicable in the employment context are (i) consent, and (ii) transfers that are necessary for the performance of a contract with the data subject. If a derogation applies, the EU entity is not required to ensure an adequate level of protection for the transferred personal data.
The Communication echoes the commonly held view that employers generally cannot rely on employees' consent to transfer personal data outside the EU because of "the relationship of subordination and inherent dependence of employees." As a result, employees' consent generally cannot be "freely given," a requirement for consent to be valid.
In order for the derogation for transfers of personal data necessary to the performance of a contract to apply, the Commission explains that "there has to be a 'close and substantial connection', a 'direct and objective link' between the data subject and the purpose of the contract." In other words, a multinational employer might be able to rely on this derogation to justify transfers of personal data if needed to administer payroll. However, the EU subsidiary/employer likely would not be able to rely on this derogation to justify the parent corporation's use of EU employees' personal data for purposes less tightly tied to performance of the employment agreement between the EU employee and the EU subsidiary, such as global diversity initiatives, global training programs, or global succession planning.
Other Recent Developments
The European Commission's publication of its Communication is the most far-reaching recent development bearing on cross-border data transfers to the United States. Other significant, recent developments include the following:
Switzerland: The Swiss Data Protection Commissioner has taken the position that Swiss entities may no longer rely on the U.S.-Swiss Safe Harbor to transfer personal data to the United States and instead will generally need to implement data transfer agreements. Significantly, Swiss data protection authorities are coordinating their approach with EU data protection regulators and those involved in negotiating the replacement framework. A U.S.-Swiss Safe Harbor 2.0 likely will follow shortly after the U.S.-EU Safe Harbor 2.0 is finalized.
Israel: Israel's data protection authority has revoked its determination that the Safe Harbor ensures an adequate level of protection for transfers of personal data to the United States. U.S. businesses seeking to transfer personal data from Israel to the United States likely will need to rely on data transfer agreements.
Dubai: The Dubai International Financial Centre (DIFC) has enacted data protection legislation modeled on EU data protection law. The DIFC's Data Protection Commissioner, who previously permitted data transfers to the United States based on the Safe Harbor, has "recommended that personal data transfers to the United States should rely on . . . alternative data transfer mechanisms," such as obtaining a permit from the Data Protection Commissioner or relying on derogations similar to those discussed above.
Portugal: The Portuguese data protection authority issued a statement that entities should suspend data transfers in reliance on the Safe Harbor and that it would approve SCCs only provisionally. As noted above, Portugal is one of the EU countries that require submission of SCCs to the data protection authority.
Spain: The Spanish data protection authority (DPA) has sent a letter to many U.S. companies whose registration with the DPA indicates they rely on the Safe Harbor to transfer personal data to the United States. In this letter, the DPA urges the recipient to implement an alternative, lawful basis for data transfers as soon as reasonably possible but no later than January 26, 2016.
Until a data transfer framework to replace the existing U.S.-EU Safe Harbor Framework is finalized, U.S.-based multinational employers should monitor developments and consider alternative methods for lawfully transferring the personal data of EU employees to the United States.