EU Data Transfers Under Fire

News emerged this week that the Irish data authority will order Facebook to stop use in the US of data and information about Irish residents. This development is part of a long-running saga between the EU and the US about what constitutes “adequate” protection of personal data about European individuals. If your company has employees, customers, or suppliers in Europe and relies on contracts, government certification, or other formal mechanisms to allow you to use data about those individuals on systems located in the US, the Facebook news and related issues may be relevant.

PRIVACY SHIELD INVALIDATED

For years, the US and EU have had in place a negotiated framework to permit exportation of personal data from the EU to the US. This “Privacy Shield” program is used by a lot of large companies. It requires self-certification to a set of standards maintained and enforced by the US Department of Commerce, which manages the Privacy Shield for the US. That scheme has been declared invalid by the supreme courts of the EU and of Switzerland this summer and is the immediate reason for the Irish Facebook investigation.

If your company is a Privacy Shield signatory:

• Do NOT halt compliance with the Privacy Shield. US officials are working with the EU to minimize the impact of the court decisions.
• Do NOT release any previously imported data from the rules you have in place to implement your Privacy Shield compliance: that data is still subject to the Privacy Shield rules, at least until there is more clear direction as to the impact of the court decisions.
• Work with your HR team, lawyers, and suppliers as appropriate to investigate alternate means to assure EU constituents that your data security measures are “adequate” to protect individuals within the meaning of EU privacy law. This may mean upgrading security, or signing new agreements, or undergoing security assessments, or other measures.

STANDARD EU PRIVACY CONTRACTUAL CLAUSES ARE SUBJECT TO FURTHER DILIGENCE

The vast majority of companies in the US are not Privacy Shield certified because of the time, expense, and difficulty associated with obtaining and maintaining certification. Most companies that import EU data to the US instead rely on contracts and amendments, such as Data Processing Agreements/Addenda, that incorporate formal language released by the EU and intended to guarantee protection of EU residents’ personal data at “adequate” levels.

For now, the fate of those approved clauses is cloudy; but they appear to be valid. However: the EU companies that rely on them are likely to initiate additional diligence associated with the relevant contracts. As with the above points, you are likely to face inquiries from your employees, customers, and suppliers about the “adequacy” of your security; and you may have to upgrade, agree to assessments, or sign new or amended contracts.

THE BOTTOM LINE

If your business in the US uses personal data about any individuals in the EU, you may face heightened duties to assure its security. Assessing what you have, how it is protected, and whether your business stakeholders require more is a complex undertaking and should include your business and technology experts, potentially your HR experts or other internal data users, and your legal advisors. Because the root of the dispute between the US and the EU has to do with US policies about national security, and those require negotiated solutions between two large political entities, these issues are unlikely to resolve quickly. It is clear, however, that all European companies have been placed on notice that their US business partners must be able to demonstrate their ability to secure personal data “adequately” in the eyes of EU authorities – and that responsibility will flow to US businesses via additional security and other contractual commitments.