HR professionals and employment lawyers need to have a broad understanding of a number of people related issues, one of which is data privacy. We try not to bombard you with information about data privacy unless something really important happens. And it just has. The Court of Justice of the European Union has declared “Safe Harbor” to be invalid (for the uninitiated, this the mechanism relied upon by many organisations to transfer personal data from the EU to the US).
At Fieldfisher we have one of the country’s best data privacy legal teams. If you or your colleagues have any questions at all on this development we would be happy to put you in touch with that team. Please just ask one of the employment lawyers known to you. In the meantime here are a few immediate thoughts to give you a flavour of the issues to come:
- Safe Harbor can no longer be relied upon as an adequate means to transfer data from the EU to the US.
- The judgement essentially reduces the number of EU-US data export options from 3 (Safe Harbor, Model Clauses, BCR) to just 2 (EU Model Clauses and BCR).
- Safe Harbor 2.0 negotiations continue in the background, and will no doubt be under intense political pressure to conclude soon, but we have no current visibility as to their likely timescale for conclusion. We understand that points of disagreement remain around national security.
- The impact of Safe Harbor invalidity will be felt both by companies that are data controllers of their own data and data processors (i.e. vendors / service providers) of their customers’ data.
- On the data controller side, EU-based controllers will come under pressure, e.g. from EU Data Protection Authorities, to move to an alternative solution for their ‘ internal’ data, such as consumer, CRM, HR and vendor data. Although we don’t expect DPAs to rush to enforcement immediately (see e.g. https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2015/10/ico-response-to-ecj-ruling-on-personal-data-to-us-safe-harbor/) nor, in an intra-group transfer context, will group companies start suing one another, Safe Harbor certified data controllers / EU data controllers who rely on Safe Harbor certified US-based processors will need to transition to a new data export solution.
- On the US vendor/data processor side, the impact will be more immediate and potentially even more significant. US-based vendors who rely on Safe Harbor should anticipate that both new and legacy customers will put them under intense pressure to execute model clauses asap – we are already seeing immediate transition to model clauses by service providers and demands by compliance driven customers for their vendors to immediately transition to alternative solutions. The question then becomes whether the vendor should sign the Model Clauses. Put simply, there is no real alternative unless either (1) the vendor has (or shortly will have) BCR in place, (2) the vendor is willing to carry commercial risk and see if Safe Harbor 2.0 concludes very imminently, or (3) the vendor is prepared to lose EU business.
So if your organisation is currently relying upon Safe Harbor (and wants to remain compliant) it will need to put an alternative measure in place, namely (1) EU Commission Model Clauses; or (2) BCR. See Phil Lee’s recent privacy law blog What will you actually have to do if safe harbor falls? which sets out our initial thoughts on the practical steps you will need to take.
It is not yet clear what enforcement approach EU data protection authorities will take in respect of organisations that fail to put an alternative measure in place. However, the Article 29 Working Party (the EU advisory party to the European Commission with membership comprising representatives from all national Data Protection Authorities) is meeting shortly to discuss this and national Data Protection Authorities are deliberating on the issue, so hopefully we will soon have some clarity on whether there will be a grace period before EU Data Protection Authorities start taking enforcement action against those organisations who do not put an alternative solution in place.
Transfers of personal data from the EU to the USA will not stop tomorrow, but at the same time regulators will expect organisations who relied on Safe Harbor to put an alternative solution in place as soon as possible, and this pressure will flow (and will intensify) down the data processing chain. So our initial recommendation is keep calm and carry on with transitioning to Model Clauses in the first instance with an eye on more strategic solutions such as BCR in the medium to longer term.