International Data Transfers – what should employers do now?
This week (Tuesday, February 7, 2017), the hearings have started in the “Schrems II” litigation before the Irish High Court. The result of this litigation might be that the High Court refers proceedings to the European Court of Justice (EU CoJ) with the request to declare the “Standard Contract Clauses” (SCC) to be invalid.
This is just another development around international transfers, following the EU CoJ verdict of 6.10.2015 (Schrems) and the development of the EU U.S. Privacy Shield last year. Recently, German local Data Protection Authorities have sent out questionnaires to 1,500 companies Germany-wide, asking them in some detail about their use of personal data and to what extent they are being sent to non-EU countries (for details see our blog by Till Hoffmann-Remy).
These developments affect any employer with a U.S. or other non-EU parent company. In that context, HR data are likely to be shared through an international HR Data base; other programs such as online recruiting tools, online feedback or appraisal systems may be used. The developments are also relevant for a company that uses Cloud Storage or Cloud Computing, if a vendor or provider from a non-EU country has access to the data and, of course, the cloud provider stores data on servers outside the EU.
European Court of Justice – Decision dated October 6, 2015 „Schrems“ – or now, “Schrems I”
Following the EU CoJ decision on the transfer of personal data into the U.S., the EU-U.S. Safe Harbor Principles („the Principles“) are no longer an option. The EU CoJ declared these principles invalid in a decision of October 6, 2015 – C 362/14. Austrian data privacy activist Maximilian Schrems had filed a complaint against the Irish Data Protection Commissioner, claiming that Facebook could not properly rely on the Principles. The Irish Commissioner referred the issue to the EU CoJ who declared the Principles invalid. Central parts of the legal reasoning were that data transfers are not acceptable if (i) they lead to EU citizens being subject to investigation by U.S. authorities on a general and non-specific basis and (ii) if the EU citizen is not granted sufficient and effective data subject rights and legal remedies in case of non compliance (highlighted in the following quote by the author):
„94 In particular, legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life, as guaranteed by Article 7 of the Charter (see, to this effect, judgment in Digital Rights Ireland and Others, C‑293/12 and C‑594/12, EU:C:2014:238, paragraph 39).
95 Likewise, legislation not providing for any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him, or to obtain the rectification or erasure of such data, does not respect the essence of the fundamental right to effective judicial protection, as enshrined in Article 47 of the Charter. The first paragraph of Article 47 of the Charter requires everyone whose rights and freedoms guaranteed by the law of the European Union are violated to have the right to an effective remedy before a tribunal in compliance with the conditions laid down in that article. (…).“
The decision was not altogether a surprise. The Safe Harbor Principles have been subject to criticism by European data protection activists and some data protection authorities for a while. Despite this, the decision caused disruption since some 5,500 companies had subscribed to the Principles. The EU Art. 29 Working Party on data protection issued a statement granting a grace period until January 31, 2016, for companies to find alternative approaches for international transfer of data.
As early as November 2015, German data authorities such as the authority in Hamburg contacted companies with a U.S. parent company (based on those listed on US Department of Commerce website as having signed up to the Principles. They questioned them about their data transfers. Although most companies had found alternative approaches by the end of the grace period in January 2016 those still basing transfers on the Safe Harbor Principles were fined. Another round of investigations by local Data Protection Authorities has now been launched.
EU U.S. Privacy Shield
On February 3, 2016, the U.S. government and the EU announced that they had come to an agreement, the EU U.S. Privacy Shield („Privacy Shield“). With further input from various parties, the final agreement was announced on July 12, 2016. The Privacy Shield is structured in several parts
- Agreement between the EU Commission and the US Government
- EU Commission Adequacy Decision of 12.07.2016
- Annex I: Arbitration Model
- Annex II: EU US Privacy Shield Framework Principles issued by the US department of commerce, (II Principles and III Supplemental Principles, including
- Rules on onward transfer
- Rules on purpose limitation
- Rules on access
- Rules for the self certification process
- Rules for dispute resolution and enforcement
- Letter from US Secretary of Commerce July 7, 2016
- Letter from US Acting Under Secretary for International Trade
- Letter from US Secretary of State John Kerry July 7, 2016 etc.
U.S. companies have been able to self certify to the Privacy Shield since 1.1.2016. Currently, roughly 1,600 companies have been certified – see the list here. The Privacy Shield has been subject to criticism similar to that raised against Safe Harbor. Various European data protection activists have filed complaints against the new arrangement. Another difficult question is what effect the recent activities by U.S. President Donald Trump will have on the guaranties, which have been made in the context of the Privacy Shield.
Standard Contractual Clauses and „Schrems II“
Standard Contractual Clauses (SCC) have been a trusted option for international data transfers based on the currently still valid EU Directive on Data Protection EU 95/46 EU, Art. 26 para 4. There are the 2001 and 2004 versions for Controller to Controller transfers, as well as a more recent 2010 version for Controller to Processor transfers.
SCC include a fixed set of mutual contractual clauses for both the European Company as a data controller and the non-EU data importer, either as another data controller or as a data processor. The Clauses have two Annexes: Annex I which outlines further obligations of the parties and Annex II which describes the details of the data transfer (and needs to be filled out very carefully). Multi party agreements with various EU and non EU entities participating are fairly common.
However as mentioned above, further proceedings are now pending in Ireland aimed, this time, at the SCC. Maximilian Schrems and Facebook are both parties to this litigation. One of the concerns raised is that contractual clauses between the individual parties (data exporter and data importer) do not and cannot address the issue of data being accessed and processed by US agencies, or the lack of legal remedies. Hearings have started February 7, 2017: The U.S. government has filed a statement to the Irish high court in this context, outlining their position: It is being expected that the Irish court will follow the opinion of the Irish DPO and refer matters to the Eu CoJ.
Other option: Binding Corporate Rules?
Binding Corporate Rules have been an effective and accepted option for international data transfers in the past and will continue to be effective under the EU General Data Protection Regulation. Roughly 90 companies have gone through the procedure to have their Binding Corporate Rules accepted by the EU. These are mostly larger companies (for example, Airbus, BMW, e-bay, Siemens, Deutsche Post and Deutsche Telekom). Binding Corporate Rules are not normally an option for smaller companies, not only because of the time in gaining approval but also the cost. In addition, they only cover intra-company data transfers, not those to third parties or data processors – which limits their value.
Summary and recommendation
For most companies and transfers today, the Standard Contractual Clauses still remain the best option. Not only are they applicable worldwide (as opposed to the Privacy Shield which is only effective in the U.S.); they are also fairly easy to adopt. How the latest Schrems II challenge will evolve is not clear but, perhaps with some amendments to the SCC, it is likely that some kind of a contractual solution for International data transfers will remain available.
German employers should observe these developments closely and potentially review their current arrangements regarding data transfers into non-EU countries. If there is a need for amendment, they need to consider whether works council agreements need to be renegotiated.