Following the recent European Court of Justice’s decision on the Max Schrems v Facebook case, businesses can no longer use the Safe Harbor Framework as a basis to lawfully transfer personal data to the US. Whilst the Safe Harbor invalidity has already been extensively commented as significantly impacting transatlantic data transfers, it should be remembered that the Safe Harbour is not the only solution to transfer data to the US and that alternative compliance options may be relied upon.

In addition, we can anticipate that EU national data protection authorities (“DPAs”) and the Article 29 Working Party will soon be issuing their own guidance to help businesses which need to transfer personal data to the US. In the meantime, we think it is rather unlikely that we are going to see enforcement activities initiated by EU DPAs until businesses have had some time to put their house in order and to look for alternative solutions.

We can also expect that the ongoing EU-US negotiations about a “Safe Harbor 2.0” will be accelerated or, at the very least, that the Commission will issue an update about their current state of play.

Having said that, it is not too early for businesses to start thinking about available arrangements enabling them to address the invalidity of the Safe Harbour and to effectively transfer data to the US. The purpose of this note is to give you a quick overview of these various options.

Options for US Safe-Harbour certified service providers

1. Wait and see – Adopt a “wait and see” approach until a new Safe Harbour framework is finalised.

Pros

  • Cost and time saving
  • Can adapt once an alternative solution is available

Cons

  • Risk of loss of customer trust and possibly of DPA enforcement action for non-compliance in the long run, but enforcement is unlikely in the short term 

2.EU Model Controller-to-Processor Clauses – Execute EU Model Clauses between the US entity and its EU customers, with some additional wording to create a ‘general framework’ allowing subcontracting and addressing the requirement to have separate per-customer sub-contracts with each subprocessor.

Pros

  • In line with customers’ expectations of compliance with EU data protection standards
  • Quick and straightforward drafting process that would be applicable in all EU countries

Cons

  • Need to ensure practical compliance beyond the contractual arrangement
  • Administrative burden – obligation to file the Model Clauses with some of the EU DPAs alongside a request for authorisation

3. Binding Corporate Rules for Processors (“BCRs-P”) – Implementing BCRs-P effectively involves developing and rolling-out a global privacy compliance programme, in line with various checklists and requirements. It also requires affording sufficient guarantees in terms of technical and organisational security measures. In addition, specific provisions must be made with customers in order to allow subprocessing.

Pros

  • Practically focused – ability to tailor the compliance programme to the needs of the organisation
  • Can be implemented as a general solution for the entirety of the organisation’s service offering

Cons

  • Lengthy, complex and expensive application process (approval may take up to 3 years for a pan-European BCRs-P)
  • Whilst they can be implemented for the provision of a standardised offering, they may not be adapted to the provision of a bespoke solution
  • Wrong timing – if enacted, the proposed draft EU Data Protection Regulation is likely to offer a more streamlined process
  • Some EU countries (e.g. Hungary) and non-EU countries do not recognise BCRs-P

Considering the complexities raised by the application process, a half-way solution could be to start developing a BCRs-P framework without actually submitting that framework for approval. In practice, getting ‘BCR-ready’ involves notably:

  • Reviewing, updating and drafting documentation in line with EU privacy standards;
  • Providing training to personnel that have access to personal data;
  • (Potentially) setting up a complaint handling process for data subjects;
  • Implementing an audit programme to be carried out on a regular basis.

4. EU data centres – Use a data storage architecture located in the EU to have data stored and processed in the EU.

Pros

  • No scrutiny from the EU DPAs so long as no data is transferred outside of the EU

Cons

  • May involve some costs and a number of considerations to be made about the data centre location
  • Not helpful if data needs to be further transferred to the US, such as to provide remote support

Options for EU companies currently using a US-based service provider which is Safe Harbour certified 

1. Wait and see – Keep using the US-based service provider and adopt a “wait and see” approach until a new Safe Harbour framework is finalised.

Pros

  • Cost and time saving
  • Can adapt once an alternative solution is available

Cons

  • Reputational risk and possible risk of DPA enforcement action for non-compliance if new Safe Harbour framework is not enacted in the near future

 
2. EU Model Clauses  – Execute EU Model Clauses, either directly with the service provider (controller-to-processor) or intra-group model clauses with a group company based in the US (controller-to-controller)

Pros

  • In line with customers’ expectations of compliance with EU data protection standards
  • Quick and straightforward drafting process that would be applicable in all EU countries

Cons

  • Need to ensure practical compliance beyond the contractual arrangement – must ensure that the US group company flows down the obligations set out in the Model Clauses to the US service provider
  • Administrative burden – obligation to file the Model Clauses with some of the EU DPAs alongside a request for authorisation

3. EU-based service provider – Engage a service provider established in the EU.

Pros

  • No scrutiny from the EU DPAs so long as no data is transferred outside of the EU

Cons

  • Responsibility for compliance would remain with the EU company acting as a data controller, meaning it would need to ensure that the EU service provider does not transfer data outside of the EU unless an adequate data transfer solution is relied upon, particularly where data is further transferred to the US 

4.Consent – Obtain the informed consent of individuals whose personal data is to be transferred to the US.

Pros

  • Quick / cheap “fix”
  • Could serve as an immediate short-term alternative until a new Safe Harbour framework is finalised

Cons

  • May be difficult to rely upon for repeated and systematic data transfers
  • Consent is likely to be held invalid for certain categories of data subjects (e.g. employees) where it has not been freely given

5.Other legal grounds for data transfer – the most relevant legal ground here would be the so-called “performance of a contract”

Pros

  • No need for any additional formalities 

Cons

  • Only applied in limited circumstances and usually narrowly interpreted by DPAs 

5. Binding Corporate Rules (“BCRs”) – Implementing BCRs effectively involves rolling-out a global privacy compliance programme in line with EU data protection standards and affording sufficient data security guarantees.

Pros

  • Long-term solution which is formally recognised by the EU DPAs and is likely to be endorsed by the upcoming the EU Data Protection Regulation
  • Practically focused – ability to tailor the compliance programme to the needs of the organisation

Cons

  • Lengthy, complex and expensive application process (approval may take up to 3 years for a pan-European BCRs)
  • Wrong timing – if enacted, the proposed draft EU Data Protection Regulation is likely to offer a more streamlined process
  • Some EU countries and non-EU countries do not recognise BCRs