In October 2016, a key agreement that allows the transfer of European residents’ personal data from the European Economic Area (EEA) to the U.S. called ‘Safe Harbor’ was deemed invalid by Europe’s top court.
The European Court of Justice (ECJ) made the landmark ruling on the agreement which has been in place since 2000. The court concluded that the agreement did not provide adequate protection for personal data in the context of access by intelligence agencies, an issue brought to light by former National Security Agency (NSA) contractor Edward Snowden and Austrian student Max Schrems, who filed a complaint against Facebook to the Irish data protection authority after Snowden’s publications in 2013.
What Happens Now?
Companies need to find another mechanism to legally “export” (or grant access to) personal data outside the EEA. The various options are discussed below. In addition, the ECJ confirmed that national data protection authorities have the authority to examine whether transfers of personal data to a third country meet the requirements of the EU data protection legislation.
Different countries and organizations have had a wide range of reactions to the ruling. Some data protection authorities (DPAs) have suggested a ban on most U.S. transfers, others have reached out to companies that have relied on the Safe Harbor, reminding them to implement a compliant solution, while the UK is telling its businesses not to panic. The so-called Article 29 working party (which represents all EU data protection authorities) set a deadline of the end of January 2016 to implement a compliant alternative to Safe Harbour. While work on ‘Safe Harbour 2‘ continues, most DPAs have stated that transfers to the U.S. should be treated in the same way as transfers to most other major economies outside of the EEA, and legitimised using one of the other transfer options available.
Option one is, as mentioned above, a second version of Safe Harbor. The parties hope to reach a new agreement in early 2016, but it is not certain that an agreement can be reached before the end of January.
Option two is adopting Binding Corporate Rules (BCRs). BCRs are an intra-group framework with different elements (legally binding commitments, policies, training, audit, etc.) that guarantees that European personal data will be adequately protected within the group. Implementing BRCs is a heavyweight process, taking 12-18 months to gain approvals from DPAs. It is also intra-group only and it is not clear how it would limit access by U.S. intelligence agencies.
Option three focuses on Model Contracts. This is an option that is already widely adopted by businesses operating in the EEA, and likely to be the most common alternative selection to Safe Harbor. It involves entering into bilateral arrangements that can be used with affiliates, 3rd party vendors or others with which companies want to share data. Potential issues include the fact that this solution also doesn’t prevent access by intelligence agencies and in some countries additional complications arise from administrative formalities (submissions of the model clauses and translated and notarized documentation relating to the signing authority of the officers executing the clauses). In addition, under this ruling, DPAs would be able to suspend their approval for the use of Model Contracts.
Option four is really a partial solution focusing on individual derogations (consent, contractual necessity, etc.). The issues with this solution include: difficulties in obtaining valid consent from affected individuals and the fact that other derogations (e.g., processing necessary for a contract with an individual) only operate on a case-by-case basis.
Worst Case Scenario?
If no workable solution is found, data storage solutions may have to be rethought. It may be easier to house and grant access to European data in Europe only. This solution is possible, but would involve significant structural change for many organizations. EU regulators seem likely to encourage a better outcome.
Safe Harbor: Take Home
We are currently in a grace period as the U.S. and EU authorities try to negotiate an alternative form of Safe Harbor (until end of January 2016), though this could be extended. Use the remaining time to select an option that works for your organization. Like most multinational companies, Iron Mountain has selected option 3 and executed Model Contracts.
What Does this Mean for Records Managers?
Records managers must ask the following questions:
- To what extent does my organization rely on third-party vendors for records/data processing?
- On what basis do our European affiliates export personal data to U.S.-based vendors, and what information does my organization keep on these vendors?
- Do any of their EU vendors subcontract work to the U.S.?
- On what basis do these EU vendors export their data to such U.S.-based subcontractors?
- Do we have contracting arrangements in place to ensure compliance works all the way down the supply chain?
- Have I notified our procurement and compliance partners about potential vendor issues/ changes?
To learn more about data privacy issues, see our article: “5 Noteworthy Data Privacy Trends.”