Most businesses will send data to the US at some point. As businesses take advantage of the cost-savings and convenience of cloud storage services and HR solutions, transfers of personal data to the US (and more generally outside of the EEA) become increasingly prevalent. This reality has made the recent turmoil over transfers of personal data to the US even more of a critical issue for businesses.
The basics and the background
Personal data is information about people. All HR/staff data is likely to be personal data (unless it is aggregated data or truly anonymised). Personal data is transferred outside of the EEA if it is “processed” (broadly defined to cover doing practically anything with data) outside of the EEA. This means that any personal data that is stored on servers in the US or accessible from the US for support/maintenance services has been “transferred” for the purposes of European data protection law.
One of the data protection principles prevents organisations transferring personal data outside of the EEA unless there is an adequate level of protection for that personal data. The European Commission (“EC”) has recognised only about a dozen non-EEA countries as providing adequate protection, not including the US. There are EC-approved legal mechanisms available to ensure adequacy: standard contracts and intra-group binding corporate rules (BCRs) and some derogations, such as consent and contractual necessity.
Safe Harbor and Privacy Shield
Less than a year ago, many businesses were transferring personal data to the US under the Safe Harbor regime (which involved US business self-certifying that they met certain standards). But Safe Harbor was invalidated by the Court of Justice of the European Union (“CJEU”) on 6 October 2015. This left many businesses that were relying on Safe Harbor suddenly in breach of European data protection laws.
The Privacy Shield framework was developed to replace Safe Harbor and is intended to address the requirements of the CJEU’s ruling on the inadequacy of the Safe Harbor framework and recommendations from the EC and from European data protection authorities (“DPAs”), including the ICO. It was formally adopted on 12 July 2016 and the EC’s adequacy decision entered into force immediately. US companies have already started to self-certify.
Transferring personal data to the US: How to comply in practice
If you want to transfer personal data to the US, below is a summary of some of the most relevant options available to legitimise those transfers:
- Privacy Shield – Despite improvements to the Privacy Shield framework, there are still concerns that it will be challenged and invalidated like the Safe Harbor regime. Any challenge to the Privacy Shield will take time and, in the meantime, Privacy Shield is available so you can transfer personal data to participating US companies if the data being transferred is covered by their certification (the covered data categories are HR data and non-HR data). The list of companies can be searched here.
- Standard contractual clauses (“SCCs”) – SCCs are a model form of contract entered into by an EU data exporter and the US data importer. As SCCs have been approved by the EC, they cannot be amended or negotiated. This may not be the most practical solution for US businesses as they will need to execute an agreement with each of their EU customers. Having said that, SCCs are still one of the most common mechanisms used by businesses to legitimise transfers of personal data outside of the EEA and can be structured to cover both one-off and continued transfers between 2 or multiple parties.
- Consent or contractual necessity– Personal data may be transferred to the US if:
- the individual has given his/her consent to the transfer of their personal data. It is worth noting that consent has to be specific, informed and freely given and it is not best practice to rely on consent for bulk and continued transfers of data. It is also viewed rather dubiously in the employment context by most DPAs and as unlawful in Germany, due to concerns over whether employee consent can be freely given; or
- it is necessary for the conclusion or performance of a contract. This is interpreted narrowly and a transfer is not considered necessary due to the way a company has chosen to structure its business (e.g. choosing to use cloud services with servers in the US).
- Binding corporate rules (BCRs) – Mature organisations sharing personal data between group companies may consider putting BCRs in place. These are a framework data sharing arrangement meaning that all group companies agree to be bound by European standards to protect data, and includes approval of policies and procedures adopted by the group. As developing and getting DPA approval for BCRs can be a time- consuming process (normally taking about 18 months) and only apply to group companies, they will not be appropriate for all transatlantic data transfers. However, once in place, BCRs offer more flexibility (as legal mechanisms and policies can be tailored to your organisation and cover different data flows) and certainty (as BCRs are specifically included in the General Data Protection Regulation as a mechanism for transferring personal data). Some suppliers also implement BCR for processors, covering customers’ data.
- Assessments of adequacy – Uniquely, UK data protection laws allow data controllers to make their own assessment of the adequacy of the protection afforded by the recipient in the non-EEA jurisdiction. This will involve the data controller carrying out and documenting a risk- assessment. As mentioned, this is only permissible under UK laws, and the assessments may still receive some regulatory scrutiny, so should be justifiable.
- Anonymising the data – It may be worth considering whether it is truly necessary to share the personal data with the US companies. If the same business objective can be achieved through using anonymous data, then the data transfer would fall outside the scope of EU data protection laws. True anonymisation can be quite difficult to achieve, so companies should review the relevant regulator’s guidance about anonymisation to ensure that the personal data has been sufficiently anonymised.
Lastly, don’t forget that in addition to making sure any transfers of personal data comply with this data protection principle, you also need to ensure compliance with the other requirements of data protection law. This includes a requirement to enter into a written contract containing certain provisions with any suppliers/sub-contractors with access to personal data, ensuring the supplier will enable you to still comply with data subjects’ rights and being transparent with the data subjects.
