Any business that moves customer, employee or other personal data should urgently review the basis for its transfers.
Last week, Facebook’s data-use policies came under fire yet again with Belgian regulators claiming they were in breach of EU laws. This latest criticism is symptomatic of the increased scrutiny into the privacy practices of many of the tech giants at a time when the EU strives to update its data-protection rules.
It is not only internet companies that the regulators have in their sights. If your business transfers data from the EU to the US (or most other countries), even within the same organisation, you need to take a fresh look at how you do it, otherwise you risk substantial fines or even shutdown. The goal posts have been moving significantly recently, so solutions that were a good choice previously may well not be appropriate now.
In particular, the US-EU Safe Harbor scheme that many US businesses rely on to ensure “adequately safeguarded” data transfers from Europe is being challenged. In a nutshell, when a company is “Safe Harbor” certified, essentially agreeing to abide by a set of EU-blessed rules over how data is collected and handled once it is in the US, this allows it to legally transfer data from the EU to the US. Without this (or one of the other approved options being used) transfers would be banned as the US is not deemed to be “adequate”.
Safe Harbor has been under attack recently given a growing perception in Europe that many US businesses, such as Facebook and Google, do not live up to the standards required under EU law, and also following the Snowden revelations about data access by authorities.
Last month Safe Harbor was further undermined with the news that two German data-protection authorities had initiated proceedings against two US companies to stop any further transfers under the scheme. While details are unclear at this stage, this news is another reminder that any business that routinely transfers customer, employee or other personal data should urgently review the basis for its transfers.
With potentially huge new fine levels of up to 5 per cent of global revenue coming in as part of the raft of new EU Regulation expected during 2015/16, companies should look at alternatives that could reduce their risk. Aside from having (what can sometimes be hundreds of ) contracts in place for each transfer incorporating EU model clauses, the newly improved binding corporate rules (BCRs) scheme is worth serious consideration. BCRs also fit the “privacy by design” mantra that has been coming out of the EU for a while now.
The value of BCRs has certainly increased and offers business a means to create a safe zone to permit multiple transfers within the zone between group companies. The exercise itself has been significantly improved via the speedier mutual recognition system and simplified, removing an early criticism.
BCRs are also expressly recognised in the draft regulation and have continued to be lauded by the European Commission. As such the exercise of internal assessment and revisions/updating of privacy policies as part of a BCR application process can often, of itself, assist in reducing fine risks.
Given the current status of the draft regulation, the debates over Safe Harbor and the significant fine levels for those who get their compliance and transfers position wrong, BCRs should certainly be looked at or revisited as one of the best solutions — and, in some cases, the best solution — for US and other multinationals exporting and importing data globally. The potential for lengthy investigations and prospect of fines should act as a cautionary tale.