As many employers know, the United States takes a different approach to privacy from that taken by the European Union (the EU). In an effort to harmonize these divergent approaches, the U.S. Department of Commerce developed a "safe harbor" framework, in consultation with the EU, governing the transfer of personal data to non-EU countries that do not meet the EU "adequacy" standard for privacy protection. In October 2015, the European Court of Justice (the ECJ) issued a decision with significant implications for U.S. employers that have, until now, relied on the self-certification provisions of the safe harbor framework. Concluding that U.S. law does not provide "an adequate level of data protection," the European Court of Justice pronounced the safe harbor framework invalid.
Presented with a claim originally made in 2013 to the Irish Data Protection Commissioner regarding Facebook's transfer of personal data from servers in Ireland to servers in the United States, where it was subject to surveillance by entities such as the National Security Agency, the ECJ issued its preliminary ruling on October 6, 2015. When considering whether or not safeguards provided by a third-party jurisdiction were adequate, the ECJ explained it was not considering whether the third-party country must ensure a level of protection "identical" to that of the EU. Rather, the court was looking for a level of protection for fundamental rights and freedoms that is "essentially equivalent" to that guaranteed within the EU. The protections afforded by U.S. law were found inadequate for several reasons, chief among them being that U.S. entities must comply with a number of conflicting obligations imposed by U.S. law, many of which do not comport with EU standards. The ECJ was particularly troubled by the fact that public authorities in the United States have generalized access to the content of electronic communications, thus compromising the fundamental right to privacy. As a result, the court pronounced the safe harbor arrangement invalid.
From this point on, those organizations (or individuals) that relied on the safe harbor framework to legitimize data transfers should review how they transfer and hold employee data. While the ECJ did not address the use of standard contractual clauses or corporate policies in its recent opinion, such safeguards may no longer suffice. These organizations are left to consider whether they can rely upon the data subject's consent for transfer or, alternatively, upon the fact that the transfer and processing of data to and in the United States is necessary "for the fulfillment of the contract"; in other words, it is necessary to enable the employment contract to continue. One problem with consent, however, is that the freedom with which it is given may be called into question, particularly in the employment context. While a data subject is less likely to raise concerns when it knows it has consented to the transfer of said data, there is always the risk that it will withdraw its consent.
Going forward, employers should carefully consider what employee data must be transferred from the EU to the United States. If possible, they should maintain and enhance an EU hub to store certain data, obviating the need for transfer. If transfers are necessary, employers need to explore whether all data must be transferred, or if only certain data sets need to be moved. Other safeguards may include enhancing contract terms between transferring organizations and ensuring that consents are given by employees to such transfer. Whatever is decided, it is essential that an employer can show, objectively, that its organization has taken adequate steps to secure employee data during transfer, processing and/or storage.