What Transatlantic Employers Need to Know About EU-US Data Transfers

• Safe Harbor 2.0 will not be so useful because Schrems held that the EU Court of Justice lacks jurisdiction to enforce uniform standards.
• Yesterday’s European Commission communication to the European Parliament confirms that Schrems is a serious problem for US employers with EU employees.
• A key part of managing evolving privacy standards is the data governance practice of rigorously maintaining information provenance.  And, model contracts are in trouble but are the best bet today.

More on each below.

• The Problem with Safe Harbor 2.0.  We likely should not expect a useful agreement on Safe Harbor 2.0.  Despite best efforts to negotiate SH2.0, is hard to see how it will work.  As widely reported, Schrems establishes a very high bar for the US.  But it also concluded that the Commission did not have the power to restrict a national data protection authorities’ right to investigate and review whenever “a person calls into question whether [safe harbor] is compatible with the protection of the privacy and of the fundamental rights and freedoms of individuals.”  In fact, Schrems leads, essentially, to a remand which requires the Irish court to investigate Schrem’s complaint.  So, even if an agreement is reached, SH2.0 will of necessity likely lack a key virtue: EU-wide uniformity.  If only the EU had a supremacy clause…

Yesterday’s communication from the European Commission to the European Parliament concerning the state of data transfers from the EU to the US should make for some interesting and worrying reading for US-based employers who transfer employee data out of the EU.  The European Commission is (was) responsible for safe harbor — and is responsible for implementing Schrems (my earlier article on the death of Safe Harbor and employers is here).

Here are two observations on the Communication that, taken together, make these challenging times for employers:

• Communication: Observation 1. The communication reminds us that the Article 29 Working Party issued a statement which noted while Model Contractual Clauses (“MCCs”) and Binding Corporate Rules (“BCRs”) can be used as a basis for data transfers, it noted that it will continue to analyse the impact of the judgment on these alternative tools (as I argued was inevitable, here).   It further reminds us that the Working Party announced that if, by the end of January 2016,the EU and US haven’t sorted things out, local data protection authorities “will take all necessary and appropriate action, including coordinated enforcement action.”  In other words, in three months, all bets are off.
• Communication: Observation 2.  The communication also reminds us of the deep skepticism with which the EU rejects the most relevant derogation for otherwise impermissible transfers: consent.  Employee consent to transfer data highly suspect in the employment context, as “the relationship of subordination and inherent dependency of employees will normally call into question reliance on consent.”

Finally, two practice pointers:

• Practice Pointer One.  Presently, the model contracts strike me as a key way to transfer employee data.  (Yes, I argued BCRs were in a previous post).  Model Contracts are easier to use — and make sense if the parties are at less-than-arms-length.  Enforcement is less likely in such a circumstance.
• Practice Pointer Two.  A key part of managing evolving privacy standards is the data governance practice of rigorously maintaining information provenance.  According to David Ray:

Information provenance refers to where information was collected and the notice and consent provisions under which it was collected. Companies need to know how individuals’ personal information came to exist in their systems, databases and data warehouses, and what the individuals were told about how their information would be used.

Ray rightly suggests that with such provenance information, one can create “an information trail similar to ‘chain of custody.'”