Following the Safe Harbor decision in Schrems, a German Data Protection Authority considers that the US needs to fundamentally alter its laws to allow for EEA transatlantic data transfer. Where do US employers with UK subsidiaries go from here?
Early this month, the European Court of Justice (ECJ) ruled that the Safe Harbor framework used since 2000 for the transfer of personal data from the European Economic Area (EEA), namely the EU Member States, Iceland, Liechtenstein and Norway, to US entities is invalid, leaving thousands of US employers who rely on the framework unclear as to their options (read the ECJ’s judgment here).
Earlier this week, one of the federal German data protection authorities (ULD) has issued an opinion (in German) to call for a stop on all data transfer on the basis of other alternatives to Safe Harbor (e.g. model contractual clauses) in light of the decision in Schrems. Any form of adequate protection will only be provided, it believes, if the US comprehensively alters its laws. The ULD’s view is one which it believes other data protection authorities in the EU might follow.
Schrems – the background
The Schrems ruling followed a refusal by Ireland’s Data Protection Commissioner (DPC) to investigate a complaint made by a user of Facebook, Mr Schrems, regarding Facebook’s European subsidiary, Facebook Ireland Ltd, transferring the personal data of its EU Facebook users to the US where it subsequently undergoes processing.
The Safe Harbor Framework – the basics
The transfer of data outside of the EEA is only permitted if adequate protection of that data is ensured (as set out in the Data Protection Directive 95/46/EC). In the UK this is known as the eighth data protection principle. For a number of US companies, adequate protection has, until the Schrem decision, been provided by voluntary self-certification to the adherence of the Safe Harbor principles which are enforced by the US Federal Trade Commission.
The background to the ECJ’s decision
Against the backdrop of the US intelligence service revelations made by Edward Snowden in 2013, Mr Schrem lodged a complaint with the DPC that the law and practice of the US does not offer sufficient protection against surveillance by the public authorities of the data transferred to the US. The DPC rejected Mr Schrems’ complaint as unfounded in light of the Safe Harbor framework which it believed to offer an adequate level of protection. There followed High Court Proceedings in Ireland, which resulted in a reference to the ECJ.
The ECJ’s decision
The ECJ held, in summary, that the framework did not ensure an adequate level of protection for personal data transfer as required by the Directive. The case will now return to the Irish High Court.
What next – the UK’s response (by the ICO)
The supervisory body of the Data Protection Act (DPA) in the UK, the ICO, has issued a statement in response to the ruling noting that businesses that use Safe Harbor will need to review how data is transferred to the US whilst acknowledging that this may take some time. The ICO will work with their counterparts in other EU member states and issue further guidance in due course.
Where does this leave businesses who transfer data from the EEA to the US?
In some uncertainty, for now. Businesses should continue checking the ICO website for updates and guidance (www.ico.org.uk). The European Commission and US authorities have for some time been negotiating a new arrangement to replace the Safe Harbor framework. Whilst these negotiations are in an advanced stage, there is no indication as to when they may be released.
US employers with UK or EEA subsidiaries who rely on the Safe Harbor framework should now assess what options are available to them to legitimise data transfer to the US in accordance with the Directive. The ICO’s statement refers to other bases on which data transfer can be made, which could include (but are not limited to) example:
- the use of model clauses (European Commission-authorised standard contracts): these are more useful for smaller companies than multi-nationals and can be burdensome, costly and involve a lengthy process;
- binding corporate rules (internal codes of conduct for multinational companies): the procedure to obtain these is cumbersome and the rules are only appropriate for intra-group data transfers; or
- freely given consent of the data subject to the transfer: this is not straightforward and data protection authorities have previously warned against relying exclusively on consent given that it can be withdrawn at any time.
However the legitimacy of these options – particularly the first two – remains in question, as the German Data Protection Authority has this week highlighted. The use of model clauses and binding corporate rules could be subject to a declaration of invalidity or judicial review in light of the Schrems decision.
Next steps for US employers processing EEA employee personal data
US employers who rely on employee data transfer from the UK/EEA to the US for the purposes, for example, of giving an overview of UK/EEA workplace issues or, as can frequently occur, to assist or lead employee investigations in their European subsidiaries will now need to carefully consider what is possible in terms of personal data transfer and whether such data does actually need to be transferred in the first place. The Safe Harbor framework is not hugely popular with many US employers – being regarded as a somewhat cumbersome process – so other adequate protections for the transatlantic transfer of that data may already have been considered such as model clauses or binding corporate rules; alternatively some businesses may be taking a risk by having no arrangements in place at all at present.
In light of the significant uncertainty and particularly the German data authority opinion now issued, US employers should consider whether the localised handling and management of employment issues within the EEA (as far as is possible), may be the safest course. They should also be circumspect when considering the transfer of employee personal data out of the EEA and also be aware of the penalties for any breach. In the UK these penalties could include (but are not limited to) a fine of up to £500,000 for serious breaches and the threat of civil proceedings. Across other European States the fines can also be substantial; in Germany and Spain for example, the sanction can include (but is not limited to) a fine up to €300,000. There are proposals in the pipeline to reform the current European data protection legislation and in the future these penalties could increase to €1,000,000 or, for companies, up to 2% of its annual worldwide turnover.
Even with the current penalties available to national enforcing authorities there is a significant risk that the sanction for unlawfully transferring employee personal data (including continued reliance on Safe Harbor) could cause greater exposure to financial liability for the employer than the value of any underlying employment law claim which the transfer of data to the US is intended to address.
Whether the ICO will penalise employers who continue using the Safe Harbor framework whilst they are still figuring out their own response and guidance for employers is unclear, but it is a potential risk. In a world economy dependent on global information transfer, it seems unlikely though that data transfer to the US will be temporarily stopped whilst guidance is formulated. In the absence of a clear statement from the ICO, US employers should consider other bases for data transfer from the UK (whilst bearing in mind the recent German opinion and being aware that these alternative options may too become invalid). The most cautious approach, whilst we wait for clarification from the ICO is, as far as possible, to consider the extent to which employee personal data can be processed by the US company’s EU based HR professionals and counsel, whilst completely anonymising any employee data which may still need to be sent to Global HR and Counsel in the US.