The Franchise Memorandum

Do you transfer customer data from the European Union to the United States? Employee data? If so, you better make sure that you are taking the right steps to comply with the EU data privacy and protection laws. On October 6, 2015, the European Court of Justice ruled that the 15-year-old EU-U.S. Safe Harbor Framework used by over 4,000 American businesses to transfer personal data from the 28 member countries of the European Union to the United States was immediately invalid. Maximillian Schrems v. Data Protection Commissioner, Case C-362/14 (Oct. 6, 2015). Even if a company did not participate in the safe harbor program, now is a good time for it to consider other options available to comply with current EU data protection and privacy laws. Here are the remaining viable options worth considering to limit a company's risk and liability:

Model Contract Clauses. The most popular option (especially now with the loss of safe harbor), model clauses require a business to have a data processing agreement that includes certain clauses that have been approved by the European Commission. Each and every entity with which data is exchanged must have these clauses in their agreement. These clauses may not be considered commercially friendly, however. They must be used exactly as approved by the European Commission and not modified in any way.

Binding Corporate Rules. Available since 2003, BCRs have been used by a relatively small number of businesses. BCRs are a set of strict rules, codes, practices, and procedures based upon EU data privacy and protection principles that govern the entire corporate enterprise. BCRs only cover the transfer of data within the corporate enterprise and must be approved by a Data Protection Authority in the EU. They can require a significant commitment of time and money. BCRs are the gold standard for data exports but are not as widely used because of time and expense. They may become more popular with the loss of safe harbor.

Informed Consent. If you obtain free and informed consent of the individual, the transfer of the individual's data may be permissible.

Contract Performance. If necessary to perform under a contract such as the booking of a hotel in the United States, the transfer of personal data only as necessary to fulfill the contract may be allowed.

Keep Data in EU. If the data remains in the EU there is no issue. If you use a data center or computer server in the EU or another country (like Canada) that is not deemed to have inadequate data privacy, the data transfer may be permissible.

For more information on alternative compliance methods, see Gray Plant Mooty's Legal Guide to Privacy and Data Security linked here, at pages 111-16.

How soon must I act? While the decision of the European Court takes immediate effect, it is unlikely that any particular Data Protection Authority will immediately initiate investigations or challenge the data privacy practices of an American business. It may take some time for each DPA to figure out exactly what they can and should do as result of this decision.

The German Data Protection Authority has already taken the position that even BCRs and model clauses may not be adequate protection for an American business if U.S. law is not changed.

There have been efforts to negotiate a new safe harbor but it may require significant changes in United States law to overcome the EU concerns. Key issues are the lack of judicial redress available to EU citizens and U.S. government surveillance activities. In the meantime we will continue to monitor and anxiously observe the consequences of this decision as it percolates through the regulatory and enforcement process.