In our recent OnPoint, we reported that the Court of Justice of the European Union (CJEU) declared that the “Safe Harbor,” upon which many companies in the EU and U.S. relied to share data both within and outside of their organizations, was invalid under EU law.
The Schrems v. Data Protection Commissioner of Ireland decision creates significant repercussions for EU to U.S. data flows across all sectors. Although much of the press commentary has related to the large technology firms that sell into Europe, it should not be overlooked that the broad ruling may impact businesses in the asset management industry. Specifically the ruling impacts:
- Asset managers based in Europe that transfer “personal data” to U.S. affiliates or service providers;
- U.S. asset managers that have EU affiliates acting as sales agents, who may transmit personal data back to the United States; and
- Funds established outside of Europe that use European service providers (e.g., fund administrators).
European data protection laws apply to a wide category of “personal data,” which will capture much investor data.
This OnPoint provides background to the recent developments regarding the Safe Harbor’s effectiveness as a conduit for data transfers. It considers how these recent developments could affect the financial services industry, and offers six important considerations for an assessment of whether further action is necessary to comply with the changing landscape of EU data privacy regulation.
The “Adequacy” Rule
Data protection law in the Europe Union is harmonized, and each member state establishes laws generally providing that personal data may not be transferred outside Europe unless the “data controller” assures an “adequate level of protection.”
The consent of an individual whose data is collected is an important exception to this rule, however. And the ability to obtain the relevant consents likely will be relevant to many in the asset management world—whose operations otherwise may be impacted by the recent ruling.
What is the Safe Harbor?
Until the recent Schrems decision, pursuant to a European Commission (Commission) decision from 2000, the Safe Harbor was one of many mechanisms available to European entities to ensure the requisite data protection when passing along personal data to a U.S. entity. U.S. entities could self-certify that they adhered to seven Safe Harbor principles and make a public declaration of their adherence. Failure to adhere to the principles would subject a member to enforcement by the Federal Trade Commission (FTC). Thus far, 4,400 U.S. companies have self-certified to the Safe Harbor framework.
Schrems v. Data Protection Commissioner of Ireland
The CJEU ruled that the Commission’s adoption of the Safe Harbor as an “adequate” mechanism for the transfer of personal data was invalid because the Commission’s promulgation exceeded its statutory authority. The CJEU also decided that the Commission’s “adequacy” decisions do not bind the national data protection authorities (i.e., the data protection authority in each of the EU’s member states).
Considerations for the Asset Management Industry
There is no shortage of uncertainty about how companies should respond to the Schrems decision. Below are six important steps that financial services firms should consider when determining whether to act to avoid running afoul of the newly fragmented EU data privacy enforcement regime.
I. Determine who is responsible for data protection law compliance.
EU data protection rules first seek to identify the “controller” of the personal data, which is the entity that will be subject to the data privacy rules. A “controller” is defined as the entity that determines the purposes and the means of the processing of the data. For example, in the context of HR data, the employer will be the controller. In the sales context, including in the asset management industry, the entity undertaking that activity (e.g., the distributor, adviser, or manager obtaining subscriptions) will be the controller.
However, depending on the structure adopted for a particular investment, following subscription, the fund itself (as it will also have legal personality) may also be a controller in relation to data about the investors.
II. Determine whether European data privacy laws apply.
The next issue is jurisdictional: whether the data controller (i.e., the adviser and/or the fund) is subject to the EU rules.
The EU data protection rules apply in two common circumstances:
- First, where the data controller is “established” in Europe. Establishment is wider than simply being incorporated within a European country. The term “establishment” includes having an office, agency, or branch. Following another recent decision of the CJEU (discussed in a Dechert OnPoint), it may also apply if a U.S. asset manager has a sales office within the EU.
- Alternatively, where the data controller is not established in the EU, but uses a service provider (a “data processor”) within the EU (e.g., a fund administrator or transfer agent).
Accordingly, EU data protection rules likely extend to EU headquartered asset managers, U.S. asset managers with EU sales or distribution offices, as well as European-domiciled funds. Furthermore, funds incorporated outside of the EU, but which use administrators or other service providers within the EU, will also be subject to the rules.
III. Identify the data flows.
Once it has been determined that the EU rules apply, the controller (whether the adviser or the fund) should identify its relevant “data flows” (i.e., where, and to whom, personal data is transferred). Firms should be aware that data flows may have multiple steps. Indeed, the same personal data may flow initially to a sister entity of the same corporate group and then to another entity, such as a third-party service provider servicing the entire group. If personal data is sent to the United States at any point in the data flow, then the “adequacy” requirement explored in the Schrems case must be considered.
Importantly, a data transfer need not be external to a corporate structure to trigger these rules. The issue also arises if, for example, European members of a multinational group centralize operations, and therefore transmit personal data outside of Europe. The same may be true if a firm centralizes its procurement of fund services from, and therefore passes personal data through, the United States.
Notably, the restrictions on sending personal data to the United States apply to the European “exporters” of data, not to the U.S. recipients.
IV. Determine whether the recipient of data relied on the Safe Harbor.
Even if a firm collects personal data from the EU and transmits it to the United States, the Schrems case does not necessarily create an issue. Indeed, the Schrems case poses a concern only for those EU data controllers that transmit data to a U.S. entity (in this sector, most likely a service provider) purely in reliance on the U.S. data recipient’s Safe Harbor status.
Firms can check the status of their affiliates and/or service providers by searching the U.S. Department of Commerce’s database.1
Of course, if an EU data controller did not previously rely on its U.S. data recipient’s Safe Harbor status, the controller should have taken other steps to “adequately protect” the personal data.
V. Take alternative steps to comply in the absence of a Safe Harbor.
Impacted European firms should immediately consider implementing an alternative method of confirming that their EU-U.S. data transfers will remain “adequately protected.” Firms that have not previously addressed the issue should now do so, given the increased regulatory scrutiny.
“Structural” alternatives to participation in the Safe Harbor include the use of standard contractual clauses and binding corporate rules.2 For the time being, these alternatives remain effective. That said, companies employing these alternatives should monitor developments in this area, as these alternatives potentially could be susceptible to challenges similar to the Schrems case.
VI. Consider the availability and effectiveness of investor consent.
As mentioned above, the consent by individuals to the sharing of their personal data disapplies the adequacy rule. In the EU, however, consent is normally a difficult concept for data protection purposes. Firms relying on consent to address this issue should review the consent language in their relevant agreements. Although it superficially seems easy to obtain, consent must be given freely, be specific, and be informed. Moreover, European regulators have been skeptical as to the general availability of consent to cure this issue (e.g., in the context of HR data).
Nevertheless, in the case of investor data, consent may well be a useful solution. Indeed, in the asset management context, the onboarding process for investors is already document and disclosure-heavy.
Even if based in the EU, investors will often be informed of any U.S. dimension to the management of their investment or, of course, to the off-shore status of the fund itself. In such cases, it should be feasible to obtain an appropriate and informed consent with suitably broad language in, for example, subscription documentation and an offering memorandum.
The Schrems decision has created a great deal of uncertainty for many sectors that need to collect and store personal data and those transferring data outside the EU. Firms awaiting a government-sponsored solution from authorities in the EU and the U.S. (a so-called “Safe Harbor 2.0”) would be well advised to undertake an assessment to determine whether, in the meantime, there are other means of complying with these rules.
For firms in the asset management industry, this should include taking stock of the data collected, whether third-party service providers may be involved, and what measures are being taken to ensure that the data is adequately protected. In particular, obtaining the consent of investors may be a suitable, and perhaps attractive, solution. Consents in subscription and related documentation should be reviewed to ensure maximum flexibility.