Following the landmark judgment of the CJEU on 6 October 2015, which declared the U.S.-EU Safe Harbor scheme1 invalid and allowed national supervisory authorities to evaluate whether an adequate level of protection is provided in non-EU countries, companies that rely on the Safe Harbor may consequently now be exposed to claims and complaints against them, and resultant investigations from national data protection authorities. Whilst the U.S. Department of Commerce has issued a statement that the Department will continue to administer the U.S.-EU Safe Harbor scheme, there are potential exposures on both the U.S. and EU sides that need to be addressed.
Who does this concern? Companies that currently rely on Safe Harbor to transfer personal data collected in the EU to the U.S., whether directly or indirectly. Other companies which have not filed for Safe Harbor but are transferring personal data to the U.S. from EU locations or entities (including to third-party providers).
What practical steps can be taken now? At present, there is considerable uncertainty around what immediate or near term actions companies that currently rely on Safe Harbor are expected to take. The Article 29 Working Party is carrying out an on-going analysis of the situation and the European Commission has given itself until the end of January 2016 to negotiate a new U.S.-EU Safe Harbor agreement.
In the meantime, the following practical steps should be considered by affected companies to make sure they are prepared and ready to take action once the Article 29 Working Party guidance is published:
- Identify the EU to U.S. personal data flows of the company – identify the path that the personal data follows, from its collection by the EU company, to its transfer to the entity in the U.S., and any onward transfers; identify the purposes for which the personal data is collected and used; and identify the systems, software and hardware used by or on behalf of the company to store and process the personal data. Determine which EU countries the data is being transferred from, as the oversight and positions of EU national data protection authorities may be different.
- Identify all instances of where the company relies on Safe Harbor (or on other cross-border data transfer mechanisms), including, for example, in intra-group transfers, and transfers to U.S. vendors, partners, sub-processors, and sub-contractors. Review the due diligence on these EU and U.S. entities.
- Check if other derogations or exclusions apply, such as consent or transfers that are necessary for the performance of a contract with the individual in respect of whom the personal data relates, or for compliance with a legal obligation. If the company relies on consent, ensure that the company’s privacy policies, notices and consents are adequate and effective (do they explicitly allow transfers of the personal data to the U.S.?), and that the company does not process (at least going forward) the personal data of anyone who has withdrawn their consent.
- Review the company’s public or consumer-facing statements (such as terms and conditions, promotional content, current contracts with customers) and make sure that nothing misstates the data protections or privacy practices which the company has in place.
- Consider using the EU Model Contract Clauses – determine which version to use in relation to your company’s structure (data controller to data processor, or data controller to data controller). Do bear in mind that the impact of the CJEU judgment on the validity of the alternative data transfer mechanisms (including the EU Model Contractual Clauses) is under on-going analysis by the Article 29 Working Party and by national data protection authorities (see, for example, the position paper released by the German federal and state data protection authorities which states that they will no longer approve transfers to the U.S. on the basis of binding corporate rules and that they will audit the use of the EU Model Contract Clauses for transfers to the U.S.).
- Review indemnity provisions in the company’s agreements with relevant service providers, third parties and other entities in the data processing and transfer chain.
- Ensure that the company has the appropriate registrations with, and approvals of, the relevant national data protection authorities, where necessary.
- Identify the implementation mechanisms, means and back-off steps whereby Safe Harbor, EC Model Contract Clauses, and/or consents are actually put into effect or accomplished.
- Identify relevant stakeholders in the process and inform them, where appropriate, of their obligations. These may include company or third party sales representatives, distributors, data gathering entities, customers, and other employees.
- Consider the impact on current and upcoming projects of the company, including technology resets or re-configurations.
- Consider implementing binding corporate rules or global privacy policies as possible long term strategies (but note the German position noted in point 5 above and available here).
- Review your exit, break, force majeure and compensation clauses in existing contracts that may have exposure, and initiate strategic discussions regarding termination of contracts, given the potential for a prolonged period of uncertainty whilst decisions are made at the U.S.-EU level.