Data plays a central role in many businesses, with personal data being increasingly considered critical for many business activities. Given the ever-increasing complexity of technology and globalisation of commerce, processing and storing personal data predominantly involves its transfer across national borders.
Large amounts of personal data flow between the EU and the US, in line with the high levels of transatlantic commercial activity. The ability to easily and legally transfer personal data across borders is therefore especially important to organisations involved in commercial activity requiring transfers of EU residents’ personal data to the US, or whose service providers require the ability to do so.
It is illegal to transfer personal data of EU residents to a country outside of the EU, except in specific circumstances. The Privacy Shield Framework (“Privacy Shield”) constitutes such an exception, in the form of a mechanism jointly implemented by the European Commission and the US to enable organisations to lawfully transfer personal data of EU residents to the US.
However, the Privacy Shield alone is not reliable for ensuring such legal transatlantic transfers longterm: it remains vulnerable to several criticisms with respect to its ability to protect the privacy rights of EU residents. Organisations involved in transatlantic personal data transfers should be aware of these vulnerabilities and explore alternative strategies for their EU-US personal data transfers, to ensure flexibility and business continuity in the event the Privacy Shield is ever successfully challenged. In doing so, organisations can also create additional benefits in relation to the forthcoming General Data Protection Regulation (“GDPR”), including minimising regulatory liabilities under the regulation, as well as contributing to their overall compliance with same.
The current EU privacy regime and EU – US data transfers
Under the current EU privacy regime, implemented in the U.K. by the Data Protection Act 1998, personal data of EU residents may be transferred to countries outside the EU only if appropriate consent has been obtained, or using Model Contract Clauses (“MCCs”) or Binding Corporate Rules (“BCRs”), unless the European Commission has formally determined that the country to which the data is transferred provides adequate protection to personal data (an “Adequacy Decision”). The US is not recognised as being a jurisdiction that provides such adequate protection. The Privacy Shield fills that gap by instituting a mechanism to facilitate the legal transfer of EU residents’ personal data to the US without having to obtain consent or implementing MCCs or BCRs.
The Privacy Shield contains a set of requirements governing participating organisations’ use and treatment of personal data of EU residents. By joining the Privacy Shield, participants make a commitment to comply with the framework that is enforceable under US law.
But can organisations rely on the Privacy Shield?
The Privacy Shield aims to facilitate transatlantic commerce by providing a clear mechanism for EU – US transfer of personal data, while incurring minimal additional organisational changes, costs and liabilities arising from the implementation of additional mechanisms to ensure compliance with cross-border data transfer requirements.
However, despite various revisions before its ratification in July 2016, the Privacy Shield remains subject to criticism that it does not fully protect the fundamental rights of individuals provided under EU privacy law. For example, there are concerns surrounding the lack of sufficient protection and readily available redress mechanisms against the decisions on automated processing of the Ombudsman, a role set out under the framework. Additionally, concerns remain that the Privacy Shield would not able to control how US government agencies access EU resident personal data, once it is in the US.
The Privacy Shield remains vulnerable to legal challenges, as a result. A successful challenge would mean that organisations relying solely on this mechanism to effect legal transfers of personal data of EU residents into the US would face, overnight, the unenviable choice of being in breach of EU data protection laws or stopping such transfers.
In the meantime, what should organisations looking to use the Privacy Shield do?
At present, the Privacy Shield remains an operational mechanism for the lawful transmission of EU resident personal data to the US, for organisations registered and operating under the framework. But, as discussed above, organisations relying solely on the Privacy Shield may find themselves in breach of EU law in the event of a successful challenge to the Privacy Shield.
To ensure flexibility and business continuity in the event the Privacy Shield is ever successfully challenged, organisations should seek to implement practical contingency strategies with respect to their EU – US data transfers. Organisations can integrate MCCs, BCRs and consent mechanisms in the management and structure of their existing data flows to the US. Doing so should continue to ensure legal cross-border data transfers to the US in the event of a successful challenge of the Privacy Shield, particularly insofar as active consent for such transfers can be obtained and clearly recorded and demonstrated.
In the alternative, organisations can consider minimising data transfers to the US, and choosing third-party providers who store and process personal data in jurisdictions the European Commission has confirmed provide adequate protection to personal data.
What does the GDPR mean for EU personal data transfers to the US?
The General Data Protection Regulation comes into force on May 25, 2018, replacing the current regime and introducing the most significant changes to the EU privacy landscape in 20 years. Restrictions on cross-border transfers will be maintained under the GDPR, with significantly increased fines for non-compliance. Under the GDPR, fines for unauthorised cross-border data transfers will be up to the higher of 4% of the organisation’s annual global turnover, or EUR 20,000,000. The GDPR also introduces regular reviews of Adequacy Decisions granted by the European Commission to non-EU jurisdictions. Such reviews would likely include the Privacy Shield, further increasing the possibility that the Privacy Shield may be found to offer insufficient protection under EU privacy law.
Implementing contingency plans in respect to EU – US personal data transfers will help organisations minimise costs and disruption by minimising the likelihood of finding themselves in a sudden situation of non-compliance with EU cross-border data transfer rules, as well as potential increased liabilities resulting from heightened fees under the GDPR for non-compliance with same. Additionally, organisations currently relying on Privacy Shield will also enhance their overall compliance with the GDPR. Integrating clear, practicable contingency plans as part of the organisation’s operational risk model demonstrates active compliance with GDPR requirements for data security, as well as ensuring the legitimacy of cross-border data transfers.
The Privacy Shield facilitates the legal transfer of EU residents’ personal data to the US, and organisations relying on it currently satisfy EU cross-border data transfer requirements. There are clear benefits to organisations who, in parallel, create and implement alternative approaches to ensure the legality of their transatlantic data transfers: such contingency plans are insurance against additional costs, uncertainty and business interruption in the event the Privacy Shield is successfully challenged. For maximum benefits, organisations should align the implementation such contingency plans in the broader context of their GDPR compliance efforts.