The basis upon which European businesses are able to send personal data outside of Europe – and, especially, to the United States – has recently been the subject of intense scrutiny and negotiation between the EU Justice Commissioner and the US Department of Commerce. The outcome seems to be that EU businesses are allowed to send data to the US, but it’s useful to understand the background and what has been agreed.
Two very different things set the backdrop to last week’s EU/US agreement.
First, the EU’s 1995 privacy directive, which sets out the current law applying to businesses operating in the EU – and which is the law from which the UK’s Data Protection Act is derived – makes clear that data cannot be transferred outside of Europe unless:
(i) the EU has agreed that a country provides an adequate level of security for data (and the US has not met that standard);
(ii) the ‘data exporter’ (the EU business) and ‘data importer’ (the US business) have signed a ‘model clauses’ contract, which puts EU-approved terms in place between those parties;
(iii) it’s a transfer of data within a multinational that has put in place an approved set of ‘binding corporate rules’;
(iv) the data subject has consented to the transfer, or;
(v) the EU has approved some other scheme.
One such other scheme approved by the EU was the so-called ‘Safe Harbor’ programme set up by the US’ department of commerce – it provided for a programme under which US companies would confirm that they complied with the ‘Safe Harbor’ rules, which were intended to give EU businesses a sufficient level of comfort that the US data importer would protect any personal data that would be sent to it. Lawyers would worry whether the Safe Harbor scheme was actually good enough, and there was often technical debate around whether US security and law enforcement agencies could access the data, especially under the Patriot Act. But we all got on with sending data to the US, because, if we didn’t, business would come to a halt – after all, almost all major providers of technology solutions end up with at least some part of their service being based in the States.
Second, in 2013, Edward Snowden began to leak details of the activities of a US agency – the National Security Agency (NSA) – which seemed to have free access to the systems of every tech company in the US. In 2015, an Austrian student and privacy activist Max Schrems, sued Facebook, claiming that because of the activities of the NSA, the basis upon which data security could be guaranteed when personal data is sent to the US, even to companies that have said they comply with the Safe Harbor, was unsound. In practice, Schrems argued, the whole foundation on which Safe Harbor rested had been fatally undermined by the Snowden revelations: no data was secure in the US. In October 2015, the European Court of Justice agreed with Schrems when the case was sent to it for judgment.
The Schrems judgment threw out the basis on which EU companies could operate their business as usual practices. Businesses were unable to insist that their US providers stopped handling their personal data in the US. They couldn’t scramble around trying to get US providers with thousands of customers to sign specific new ‘model clause’ contracts. Even if that were possible, those contracts must now be suspect: it’s not as if the NSA had general power to access all data unless the company has signed a model clause contract with its EU customer. Taken to its logical conclusion, this would mean data flows from the EU to the US would be cut off. Clearly, the EU had to do something to make sure that businesses dealing with citizens in Europe could run.
So, what has the EU done? After what have been described as ‘intense’ negotiations, the EU and US have agreed on a replacement scheme for Safe Harbor – the ‘Privacy Shield’. The Privacy Shield includes the setting up of an ‘ombudsman’ in the US to oversee any intelligence service access to the data of EU citizens, a complaints procedure to protect the interests of EU citizens, and various other provisions designed to overcome the issues raised by Schrems.
But the Privacy Shield is not yet a done deal. The EU Commission will need to adopt a resolution confirming that the Privacy Shield deal meets the requirements of EU law of providing citizens with adequate protection. Many argue this is questionable and there must be a possibility that Schrems – or someone else – will challenge the Privacy Shield for failing properly to protect EU citizens’ data.
What does all this mean for European businesses that handle personal data and need to send it to the US? It looks as if we are coming to a solution that will allow that to continue. The Privacy Shield’s inbuilt scheme of review and of dispute resolution, coupled with language that will be designed to address the key points of the Schrems judgment, ought to enable the EU Commission to adopt the Privacy Shield and declare it to provide an adequate level of protection to EU citizens. But there is still uncertainty, and there will inevitably be a risk that the Privacy Shield fails to get off the ground.
Whatever happens, and I am hopeful we will get to a solid landing on this, the whole question of EU to US data transfers affects almost every business – whether they are big users or providers of outsourcing services, or simply using cloud-based services in their everyday business operations. With citizens increasingly aware of the value of the data held by businesses, and concerned about what happens to it, this is an issue that will not quietly go away. Company boards need to think strategically about what they do with data, how they hold it, where it goes, and how to make sure their customers trust them to safeguard it.