Have you been following the rulings on U.S.-EU Data Transfers? New developments may – or may not – affect your business. World Travel, Inc.’s Corporate Counsel, Maribeth Minella, addresses What Happened and What Now for our industry update this week. Keep in mind that Data Transfer is a finely regulated topic, particularly when crossing international borders. You'll find Maribeth's overview below.
There’s been much ado about Max Schrems. In case you don’t know who Mr. Schrems is, it was his compliant that prompted the Court of Justice of the European Union (the “Court”) to essentially invalidate the U.S.-EU Safe Harbor Framework.
According to Wikipedia, Max Schrems is an “Austrian privacy activist who campaigns against Facebook for privacy violations.”[1] While studying law during a semester abroad at Santa Clara University in California, Schrems asked Facebook to provide him with a copy of his records. He apparently received a CD with over a thousand pages of data.[2] After that, he filed numerous complaints with Facebook about how it handles personal data under European law.[3] Schrems argued that US laws do not adequately protect data transferred from the EU. His argument was grounded in revelations made in 2013 by Edward Snowden concerning activities of the U.S. National Security Agency (NSA).[4] Schrems' point was that US data privacy laws do not adequately protect data from surveillance by U.S. government agencies, like the NSA. Eventually, Schrems filed a complaint about Facebook’s transfer of data from the EU (Ireland, specifically) to the U.S. with the Irish Data Protection Commissioner. Schrems’ case eventually made it to the Court of Justice of the European Union – the highest court of the European Union (EU) in matters of EU law.[5]
For now, it seems that Schrems has won. On October 6, 2015, the Court issued an opinion in the matter Schrems v. Data Protection Commissioner that invalidated the European Commission’s July 26, 2000 decision that the U.S. Safe Harbor Framework ensured an adequate level of protection of personal data transferred from the EU to the U.S. In layman’s terms: the agreement between the U.S. and the EU which set forth rules about how U.S. businesses can transfer data from the EU to servers located in the U.S. has been called into question.
The Schrems decision is not, however, an unexpected outcome. There has always been a concern that the patchwork of privacy and data security laws in the U.S. is not up to par with EU data privacy standards. In fact, the European Commission (the “Commission”) made specific recommendations in November 2013 that strongly suggested that the U.S. Safe Harbor Framework was at least due for a major update.[6]
Nonetheless, the Schrems decision has unfortunately left U.S. businesses that voluntarily complied with the Safe Harbor Framework uncertain about the validity of their EU-U.S. data transfers. The good news is that despite the overwhelming number and varied opinions on the impact of the Schrems decision, it is quite likely that this “limbo” period will end quite soon. On the day of the Court’s decision, the European Commission held a press conference announcing that it viewed the decision as “confirmation of the European Commission’s approach for the renegotiation of the Safe Harbour.”[7] It reiterated that it was already working with U.S. authorities to “make data transfers safer for European citizens.”[8] By October 26, 2015, the Wall Street Journal reported that the EU and U.S. agree in principle on a new data transfer agreement.[9]
The better news is that pursuant to the Commission’s original 1995 directive on the protection of personal data (Directive 95/46/EC, or the “Directive”), there have always been multiple channels to transfer personal data from the EU to the U.S. in a compliant manner.[10]
Next, we will briefly review these options, along with some predictions about “Safe Harbor 2.0.”
Above, we covered “what happened?” regarding Schrems v. Data Protection Commissioner. In that opinion, the Court of Justice of the European Union (the “Court”) held that the European Commission’s (the “Commission”) earlier finding that the U.S.-EU Safe Harbor Framework sufficiently protects data transferred from the EU to servers located in the U.S. is invalid.[11] The consequence of the Court’s opinion is that U.S. businesses that relied upon the Safe Harbor Framework to essentially authorize their transfer of data from the EU to the U.S. now need to look to alternative channels to properly protect such data transfers. That does not mean that anything new or different needs to be considered. The 1995 directive on the protection of personal data (Directive 95/46/EC, or the “Directive”) always contemplated multiple channels to transfer personal data from the EU to the U.S. in a compliant manner. In fact, last Friday, the Commission published a communication reiterating the viability of these alternatives.[12]
Below is a brief description of what U.S. businesses can do while we wait for “Safe Harbor 2.0.” They can:
- employ Standard Contractual Clauses (“SCCs”),
- employ Binding Corporate Rules (“BCRs”), or
- determine to what extent one of the specifically contemplated derogations set forth in the Directive applies.[13]
Standard Contractual Clauses
There are four sets of SCCs: two relate to transfers between controllers and two relate to transfers between a controller and a processor. In each case, the SCCs sets forth the respective obligations of data exporters and importers including but not limited to security measures, notification obligations, and obligations regarding the rights of data subjects.[14] U.S. businesses that want to investigate this option can find copies of the SCCs here.[15]
Binding Corporate Rules
Similarly, BCRs are internal rules (like codes of conduct) most often adopted by multinational companies in order to apply adequate safeguards for the protection of privacy within the meaning of the Directive. BCRs are beneficial because they negate the need for contractual clauses for each transfer within a group of related entities.[16] U.S. businesses that want to investigate this option can find out more here.
Applicable Derogations
Finally, the Directive permits specific instances (derogations) when personal data may be transferred to entities outside of the EU. These instances are narrow in scope and are strictly interpreted. With respect to the travel industry, interestingly enough, two of the derogations specifically contemplate travel transactions, such as when a travel agent forwards the details of a flight booking to an airline or when payment information is transferred in the context of a hotel reservation.[17]
Again, these rules apply for now. As for the new rules? It’s likely that “Safe Harbor 2.0” will look a lot like what the Commission put forth in the original data protection Directive, but updated to address the issues raised in 2013 by Eric Snowden and the U.S. government’s surveillance activities. If it were left to Max Schrems, the new rules would keep data transfers transparent, data subjects would opt-in instead of opting-out, data subjects should be allowed to “decide things for themselves,” and all transfers should only include the minimal amount of data necessary.[18]
As it turns out, Schrems may not be far off the mark. Commissioner Jourová has already announced that the new framework will include stronger oversight by the U.S. Department of Commerce, along with greater cooperation between European Data Protection Authorities and U.S. authorities.[19] U.S. business should also expect to provide European citizens with easy channels to address objections to transfers of personal data. U.S. businesses will likely be expected to be more transparent about privacy policies and be expected to demonstrate with certainty how they apply privacy policies to day-to-day processes. In the end, it is clear that how U.S. business transfer personal data from the EU to servers in the U.S. will remain a focus for both the EU and the U.S. for the foreseeable future.
Footnotes
[1] en.wikipedia.org/wiki/Max_Schrems.
[2] Id.
[3] You can learn more about Schrems and his advocacy against Facebook’s data practices at his Europe v Facebook (EvF) site: europe-v-facebook.org.
[4] Schrems v. Data Protection Commissioner, Case C-362/14, [2015] E.C.R. I-650, ¶ 3.
[5] Id.
[6] Commission Communication to the European Parliament and Council on the Functioning of the Safe Harbor from the Perspective of EU Citizens and Companies Established in the EU, COM(2013)847 final.
[7] Statement of the European Commission by First Vice-President Timmermans and Commissioner Jourová’s press conference on Safe Harbour following the Court Ruling in Case C-362-14 (Schrems).
[8] Id.
[9] Natalia Drozdiak, “EU, U.S. Agree in Principle on New Data-Transfer Pact,” Wall Street Journal, October 26, 2015.
[10] See Council Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and the free movement of such data, 1995 O.J. L 281).
[11] See Schrems v. Data Protection Commissioner, Case C-362/14, [2015] E.C.R. I-650.
[12] See Communication from the Commission to the European Parliament and Council on the Transfer of Personal Data from the EU to the United States of America under Directive 95/46/EC following the Judgment by the Court of Justice in Case C-362/14 (Schrems), COM(2015) 566 final [hereinafter the “Communication on Schrems”].
[13] Id.at 4.
[14] Id. at 5-6.
[15] Any business that wants to use any of the options reviewed in this article is hereby specifically advised to seek the advice of legal counsel.
[16] Communication on Schrems, supra, at 7-8.
[17] Id. at 8-9.
[18] http://europe-v-facebook.org/EN/Objectives/objectives.html.
[19] Natalia Drozdiak, “EU, U.S. Agree in Principle on New Data-Transfer Pact,” Wall Street Journal, October 26, 2015.
