October 22, 2015
On October 6, 2015, the Court of Justice of the European Union ruled “invalid” the July 2000 decision of the EU Commission to allow U.S. companies to transfer personal data from the EU to the United States when complying with the principles outlined in the so-called Safe Harbor agreement, meant to ensure there was an adequate level of protection of the personal data transferred. In striking down this agreement, the EU’s highest court disrupted the data traffic enabling many companies to transfer the personal information of Europeans to the United States.
This ruling comes after an Austrian citizen brought to the court’s attention a case against Facebook in Ireland (where its European headquarters are located). Based on his claim, now backed up by the Court of Justice, his privacy had been violated by the U.S. National Security Agency’s mass-surveillance programs, first revealed by Edward Snowden, having access to his personal information stored by Facebook on U.S. territory.
By accepting his claim, in essence, the Court states that the level of protection of data in the United States cannot be considered adequate even for organizations compliant with the Safe Harbor agreement in light of the powers available to the national supervisory authorities.
On October 20, 2015, the group of EU data protection regulators (the Article 29 Working Party) issued their first guidance on this landmark decision and have stated they are not prepared to wait too long before taking enforcement steps. If no appropriate solution is found by the end of January 2016, the regulators will consider taking enforcement action.
Companies transferring personal EU data to the United States should urgently review their existing data transfer arrangements to establish whether such transfers can continue to be lawfully justified and make any necessary changes to those arrangements where required.
The Safe Harbor agreement between the European Union and the United States has been used extensively by American and European companies to exchange personal information of citizens of EU countries, whereby this information is retained in the United States. Such exchange is regulated by the EU Data Privacy Directive, which prevents companies operating in the EU from sending personal data to countries outside the European Economic Area (EEA) unless they guarantee adequate levels of protection, comparable to the ones provisioned by the same Directive.
Since its inception, significant criticism and concerns regarding compliance with and enforcement of this agreement have been raised. The most criticized aspect is the certification of compliance, which companies can obtain through self-assessments that determine compliance with the seven principles of the agreement on how to handle and protect personal information.
Additional concerns were added just a month ago, when the U.S. government and Microsoft went to court over a search warrant, which the government argues should compel Microsoft to retrieve emails held on a Hotmail server in Ireland. Microsoft lost the case in the United States when the U.S. Department of Justice asserted that governmental investigative bodies have the right to demand the emails of anyone in the world from any email provider headquartered within U.S. borders. This ruling is presently being Protiviti | 2 appealed vigorously by Microsoft and it appears that with its latest ruling, the EU Court of Justice is taking the side of the U.S.-based companies rather than U.S. governmental authorities.
Should You Be Concerned?
While the general advice is not to panic and to wait for either a new form or agreement between the United States and EU, or for additional legislation from each EU country member to regulate the export of personal data, the following organizations are immediately impacted by the EU Court of Justice ruling and will need to revisit their procedures for transferring and/or storing personal data belonging to EU citizens:
- Organizations headquartered in an EU member country which:
- Plan to transfer personal data about EU citizens to the United States (for a variety of reasons)
- Use (or plan to use) either service providers based in the United States or computing facilities located in the United States when personal data of EU citizens will be part of the data processed
- Plan to acquire or merge with U.S.-based organizations
- Organizations based in the United States that:
- Have a multinational presence inclusive of EU member countries
- Have, or plan to enter into, an agreement with an EU-based organization requiring some form of personal data inflow into the United States
- Currently store or process personal data of EU citizens
Some companies may assert that they do not own or process personal data, hence they need not be concerned with this issue. However, such cases are extremely rare, because any company in business contact with the EU processes at least the personal data of its workforce as part of some of its most essential activities.
Effects and Actions to Be Considered
The most immediate effect of the EU Court of Justice ruling is that organizations can no longer transfer personal information they collect from employees and customers resident in EU country members to companies in the United States certified for compliance with the Safe Harbor agreement.
This limitation includes internal transfers, and is applicable to companies with presence in both the United States and an EU member country. As a result, personal data in a company’s possession belonging to EU citizens can no longer be transferred to the United States without taking additional steps beyond the obligations of the Safe Harbor agreement. Therefore, the need to consider segmenting personal data into EU- and non-EU-based categories has arisen as an urgent priority.
Consider the following challenges stemming from this ruling:
- If a company, for example, has operations in the United States, France, the United Kingdom, India and China, the personal information belonging to French and UK employees must be segregated from other employees and flagged for prevention from transfer to the United States, India, China and any other non-EU country. If the company also collects personal data from customers beyond countries where it has a physical presence, then their personal data also must be segmented and flagged into EU-based and non-EU-based subsets.
- The EU court’s decision doesn’t order an immediate end to personal data transfers. It’s still possible for personal data belonging to persons living in the EU to be transferred to the United States. However, such transfers will no longer be protected on the basis of Safe Harbor self-certification, but consummated under a separate burden referred to as a “personal data transfer model contract.” We expect that many companies will rush to draft such model contracts, but this presents other issues – while the EU has pre-approved certain types of these contracts, they may not be suitable in certain cases. In the absence of such contracts, EU country regulators now may choose to investigate and suspend non-EU companies if they don’t provide sufficient protections. Protiviti | 3
- Even if specific data transfer model contracts are available, it’s unclear whether such contracts will be sufficient to demonstrate that personal data is stored under adequate standards of protection as long as the U.S. government continues to claim the right to access any digital document stored on U.S. territory (and even beyond that, as the Microsoft case demonstrates).
- Companies that are processing and storing personal data belonging to EU citizens need to consider different storage locations immediately. Some, such as Google, Microsoft and Apple, have already implemented separate storage solutions located in EU countries. Others need to rethink their strategy for processing EU data outside the EU region, which could impact those who have set up operations in shared service centers around the world.
- A separate but related issue is the transfer of personal data into the United States for the sole purpose of storage, and whether this data is encrypted properly. This widespread need is typically satisfied by cloud providers, which can be based, or at least have storage infrastructure, in the United States.
- Companies may need to obtain explicit consent from EU citizens as to whether they are comfortable with U.S. data transfers to be made and begin to think about the implications should EU citizens “opt out” of their services.
- This ruling raises concerns for companies not based in the EU but holding and processing personal data of EU citizens. The next round of privacy legislation being discussed by the EU Commission is expected to hold these companies responsible for loss of that data, as well.
Recommendations for Management and the Board
At the present time, Safe Harbor does not have a viable replacement or alternative. We anticipate that an alternative should come in the near future. For example, on September 8, 2015, the EU Commission reported the news of the finalization of the EU-U.S. negotiations on the data protection “Umbrella Agreement,” a high-level framework that sets safeguards and guarantees lawfulness of personal data transfers between the two unions. We will issue another Flash Report if and when this agreement is officially ratified and goes live, as its impact will be significant.
Meanwhile, if your organization falls under the impacted categories mentioned above, you should seek legal advice to evaluate whether the transfer of personal information of EU citizens to the United States and other countries external to the EEA can continue under some other terms. These terms will likely fall in the following categories, in which we suggest actions to take:
- Data privacy impact assessments. Conduct a data privacy impact assessment to understand the extent of private data your organization holds and key privacy risks to which you may be exposed.
- Model contracts for the transfer of personal data to third countries. To date, the EU Commission has issued two sets of standard contractual clauses for transfers to data controllers established outside the EU/EEA, and one set for the transfer to processors established outside the EU/EEA. Consult with your legal advisers to determine whether these standard clauses will cover your organization’s specific needs.
- Establishing corporate binding rules. Consider establishing internal corporate binding rules for sharing data between entities. However, proceed with caution and consult with legal advisers. Establishing these rules and policies can be complex and cumbersome, and need to be overseen by a European data protection agency.
- Assessing personal data flows and encryption. Personal data from EU citizens can be kept, stored and processed in one of the EU member countries. The flow of the rest of the personal data needs no alteration if maintained within the EU. Therefore, organizations may need to rethink how they structure internal operations that process personal data outside the EU region. Additionally, if cloud providers that store your organization’s data have their data centers outside of the EEA, consider how you are encrypting personal data before sending it to storage providers. In such cases, your organization should maintain encryption keys on premises, rather than with the provider. © 2015 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Vet. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services.
One other action to be considered by companies, and in particular by service providers, is to procure and offer European-based data processing which are ring-fenced in Europe. As data processing, rather than data storage, is the main concern of this legislation, U.S.-based organizations that process EU data can still do so with Internet-based applications hosted by EU countries as long as they are not then brought into the United States.
Please note that this information is not intended to be legal analysis or advice, nor does it purport to address every issue that may impact financial institutions and other companies or every government response. Organizations should seek the advice of legal counsel or other appropriate advisers on specific questions as they relate to their unique circumstances.
Content Contributed by: