UPDATE: After this article was published, the working group of the EU data protection authorities issued a statement setting out its views on the issue. There have also been statements published by national Data Protection Authorities. For the most recent information on the different responses to the ECJ's ruling across Europe, please visit our Privacy Matters blog.
What types of data transfer are affected?
The decision impacts on any transfer of data from the EU to the US, but in the employment context the following areas are likely to be of particular concern:
- US parent companies holding or having access to data regarding employees in the EU;
- Transfer of employee data to service providers based in the US or based elsewhere but storing data on servers in the US, such as HR system providers, payroll processing services, benefit providers and other HR services;
- Whistleblowing and other employee hotlines hosted from the US.
Some organizations will be transferring all or the majority of their HR data to the US; others will be transferring more limited data for the purposes of senior promotions, salary reviews, incentive and stock plans or even merely professional contact and skills database information. The impact will be significant because many organizations that need to send data to the US have for many years relied on Safe Harbor as the easiest mechanism to do so.
Options for processing data without Safe Harbor
The G29 group of EU data protection authorities are in consultation aimed at reaching a common position and a preliminary statement is expected next week. There is no official transitional period to implement the decision although it is likely in practice that many organizations will have a short grace period to develop solutions following the CJEU decision before the majority of national data protection authorities take enforcement action. National data protection authorities vary significantly both in their approach to enforcement and the level of penalties applied.
It will not be possible to have a 'one size fits all' approach across the EU which will be compliant. The main current options for the transfer of employee data going forward are likely to be a combination of:
- EC approved model contract clauses - This will be the easiest and quickest interim solution in the UK and many other European jurisdictions. Group companies can enter into one intra-group agreement concerning the processing and transfer of data incorporating model contract clauses. Similarly, employers can enter into agreements with their service providers as data processors. However, the clauses will need tailoring to be compliant in different EU jurisdictions. In some countries this will take some time because it will require consultation with works councils or other employee bodies and, in some cases, approval by national data protection authorities;
- Consent - Employee consent to transfer of data cannot be a complete solution as in the majority of EU countries (including the UK, France, Poland, Germany and the Netherlands), consent is unlikely to be regarded as a viable option in the employment context, particularly where there would be adverse consequences for the employee in refusing or withdrawing consent. In some countries, most notably Spain where other alternatives such as the EC model clauses would not be acceptable for the local data protection authorities, employers may be able to rely on employee consent to the transfer of data, and in some countries consent may be an option for the transfer of certain data such as participation in a US managed stock option scheme where participation is voluntary;
- Binding corporate rules - These only cover intra-group transfers and require approval by all relevant national DP authorities so are complex and time consuming. However, they may become more viable as a solution following the introduction of the new EU DP Regulation once finalised (due to come into effect in 2017);
- Bring data back to the EEA or another jurisdiction with adequate protections - It may be possible to reduce data stored in or accessed from the US by using more local systems and management; this is unlikely to be a complete solution particularly in respect of intra-group transfer, but data flow could be limited and more robust secure deletion processes put in place. Where organizations are using US-based HR service providers these could be changed to arrange storage in another jurisdiction.
There are other limited options which may be helpful in specific situations, such as the exemptions for defence of legal claim and contract performance at the request of the individual. However, it is important to note that the decision leaves open the possibility that, in time, some of the other currently legitimate methods of data transfer to the US or transfer to other third countries may be challenged on similar grounds.
Some organisations were already not data protection compliant prior to this decision either because the US organizations are not Safe Harbor registered or because data is going to other non-EEA countries without adequate data protection arrangements. Those organisations are at risk of enforcement action by local data protection authorities and will also need to consider the options outlined above.
The picture is changing daily so watch for developments. It may be that there is a political solution in time. We recommend not rushing into complex alternative arrangements without taking time to consider the options and understand the likely response of the relevant national data protection authorities and the EU. In the meantime, however, there are some steps which companies should take now:
- Determine whether or not your organisation is in fact relying on Safe Harbor: https://safeharbor.export.gov/list.aspx.
- Businesses that do rely on Safe Harbor should investigate what employee data goes to the US, the purposes for which it is used and whether it is possible to (temporarily) minimise or stop the data flow to the US whilst exploring other options.
- Review contracts with third party service providers based or storing data in the US; some agreements may already contain EU model clauses or it may be possible for the third party processor to move the data storage and processing away from the US. If considering changing service providers it is important to be aware of termination rights.
- Ultimately the best option in most EU jurisdictions is likely to be agreements containing the EC model clauses but these will require tailoring and implementation on a country by country basis and this approach is not possible in all countries (for example Spain).
Please contact Tim Marshall or Patrick van Eecke if you wish to discuss the best options for your organisation and we can assist you with developing a compliant approach for your transatlantic data transfers going forward.