Update 10/6/2015: Schrems is decided (here). US law has structural deficiencies that prevent US from complying with safe harbor. See paragraphs 94-5. It’s hard to see how BCRs and Model Contracts are not in trouble, too. After all, these provisions can’t protect against the NSA and other law enforcement either. (To be clear: not commenting on the wisdom, politics, pragmatics or legality of NSA programs, just this decision).
Employers who wish to transfer employee data from the EU should take notice of the recent opinion by the European Court of Justice’s Advocate General, Yves Bot. (Schrems v the Irish Data Protection Commissioner (Case C-362/14). It is wildly regarded as setting the Court up to deal a serious, if not fatal, blow to the EU-US Safe Harbor agreement which allows data transfer between the two, despite the US’s not being deemed an “adequate” data protector by the EU.
Even if an employer does not rely on safe harbor, it is very important to pay attention to this opinion because there will be serious damage to all forms of employee-data transfer to the US.
The core of Bot’s argument:
- …the access of the United States intelligence services to the data transferred covers, in a comprehensive manner, all persons using electronic communications services, without any requirement that the persons concerned represent a threat to national security.
- Such mass, indiscriminate surveillance is inherently disproportionate and constitutes an unwarranted interference with the rights guaranteed by Articles 7 and 8 of the Charter.
To the extent that the US does the things Bot claims it does, the conclusion is that there is no adequate level of protection of data in the US:
- …it must follow a fortiori, that third countries cannot under any circumstances be regarded as ensuring an adequate level of protection of personal data of citizens of the Union where their rules of law do in fact permit the mass and indiscriminate surveillance and interception of such data..
More than a data adequacy matter, Bot sees in all of this nothing short of “infringements of the fundamental rights of citizens of the Union.” 217. After all “[t]he revelations in question point to a level of surveillance of a massive and indiscriminate scale.” See 223. And, given the secret and ex parte nature of the Foreign Intelligence Surveillance Court (‘the FISC’), Bot concludes that citizens of the Union have no effective right to be heard on the question of the surveillance and interception of their data. 35
If the Court adopts Bot’s reasoning, safe harbor may fail in the employment context.
Given Bot’s expansive argument, most methods will likely fail, too. Let’s look at some of the other available methods.
Transfers of an employee’s personal data to a company outside of the EU can only take place where the recipient company is in a country that ensures an adequate level of protection for the data. If not, then there are a few relevant grounds to permit the transfer:
- the transfer is on the basis of contractual solutions as authorized by a member state as providing adequate safeguards,
- the transfer is on the basis of standard contractual clauses approved by the Commission as providing adequate safeguards,
- the employee has given consent, or
- the transfer is necessary for the performance of a contract between the data subject and the controller.
(There are others, but these are the most relevant).
The standard contractual clauses approved by the EU offer an alternative mechanism for transferring personal data of workers to subsidiaries or affiliates in third countries where there is not adequate level of data protection in place. However, some authorities, including some German data protection authorities, have utilized the same reasoning as Bot’s to not approve such transfers. In light of Bot’s opinion and the obligation of the users of standard contract users to provide the same level of protection as if the data were in the EU, this basis for transfer is fundamentally at risk.
Binding corporate rules may similarly suffer. BCR’s essentially create a set of rules for the data controller to follow – and makes employee’s third party beneficiaries of the rules with the right to enforce them. And they too suffer from the same problem as standard contracts: adequate protection, which is doubtful in light of Bot’s argument. Phil Lee articulates the US surveillance problem with BCRs:
The view of EU regulators is that EU citizens’ data should not be disclosed to foreign governments or law enforcement agencies unless strict mutual legal assistance protocol has been followed. …
By contrast, the US and other foreign governments say that prompt and confidential access to data is often required to prevent crimes of the very worst nature, and that burdensome mutual legal assistance processes often don’t allow access to data within the timescales needed to prevent these crimes. The legitimate but conflicting views of both sides lead to the worst kind of outcome: political stalemate.
And intense legal risk for users of BCRs. Lee notes that the very recent Explanatory Document on the Processor Binding Corporate Rules (WP 204) attempts to deal with this problem by acknowledging that sometimes, the best a BCR user can do is use “best efforts to obtain the right to waive [a law enforcement disclosure] prohibition in order to communicate as much information as it can and as soon as possible”.
Given the limiting text that follows this, I don’t think the Working Party is successful:
In any case, transfers of personal data by a processor to any public authority cannot be massive, disproportionate and indiscriminate in a manner that it would go beyond what is necessary in a democratic society.
No BCR can meet this standard given Bot’s description of the NSA program and the conclusion that surveillance causes infringements of the fundamental rights of citizens of the Union
I wouldn’t rest on BCRs as a solution to transfer of personal employee data.
Consent of the data subjects doesn’t work for reasons not related to Bot’s arguments. Can an employee truly consent? Not really. In a slightly different context, the Article 29 Working Party opines that:
where consent is required from a worker, and there is a real or potential relevant prejudice that arises from not consenting, the consent is not valid in terms of satisfying either Article 7 or Article 8 as it is not freely given. If it is not possible for the worker to refuse it is not consent. Consent must at all times be freely given. Thus a worker must be able to withdraw consent without prejudice.
Finally, it is also unlikely that an employer can use the justification that such a transfer is necessary for the performance of a contract between the employee-data subject and the employer-data-controller. The Article 29 Working Party, in its working document interpreting Article 26(1), considers that such an interpretation is unlikely as the concept of an employment contract can be interpreted so broadly, as there is no direct and objective link between performance of an employment contract and such a transfer of data (WP 114 at 14).