Do you transfer customer data from the European Union to the United States? Employee data? If so, you better make sure that you are taking the right steps to comply with the EU data privacy and protection laws. On October 6, 2015, the European Court of Justice ruled that the 15-year-old EU-U.S. Safe Harbor Framework used by over 4,000 American businesses to transfer personal data from the 28 member countries of the European Union to the United States was immediately invalid. Maximillian Schrems v. Data Protection Commissioner, Case C-362/14 (Oct. 6, 2015). Even if a company did not participate in the safe harbor program, now is a good time for it to consider other options available to comply with current EU data protection and privacy laws. Here are the remaining viable options worth considering to limit a company's risk and liability:
Model Contract Clauses. The most popular option (especially now with the loss of safe harbor), model clauses require a business to have a data processing agreement that includes certain clauses that have been approved by the European Commission. Each and every entity with which data is exchanged must have these clauses in their agreement. These clauses may not be considered commercially friendly, however. They must be used exactly as approved by the European Commission and not modified in any way.
Binding Corporate Rules. Available since 2003, BCRs have been used by a relatively small number of businesses. BCRs are a set of strict rules, codes, practices, and procedures based upon EU data privacy and protection principles that govern the entire corporate enterprise. BCRs only cover the transfer of data within the corporate enterprise and must be approved by a Data Protection Authority in the EU. They can require a significant commitment of time and money. BCRs are the gold standard for data exports but are not as widely used because of time and expense. They may become more popular with the loss of safe harbor.
Informed Consent. If you obtain free and informed consent of the individual, the transfer of the individual's data may be permissible.
Contract Performance. If necessary to perform under a contract such as the booking of a hotel in the United States, the transfer of personal data only as necessary to fulfill the contract may be allowed.
Keep Data in EU. If the data remains in the EU there is no issue. If you use a data center or computer server in the EU or another country (like Canada) that is not deemed to have inadequate data privacy, the data transfer may be permissible.
For more information on alternative compliance methods, see Gray Plant Mooty's Legal Guide to Privacy and Data Security linked here, at pages 111-16.
How soon must I act? While the decision of the European Court takes immediate effect, it is unlikely that any particular Data Protection Authority will immediately initiate investigations or challenge the data privacy practices of an American business. It may take some time for each DPA to figure out exactly what they can and should do as result of this decision.
The German Data Protection Authority has already taken the position that even BCRs and model clauses may not be adequate protection for an American business if U.S. law is not changed.
There have been efforts to negotiate a new safe harbor but it may require significant changes in United States law to overcome the EU concerns. Key issues are the lack of judicial redress available to EU citizens and U.S. government surveillance activities. In the meantime we will continue to monitor and anxiously observe the consequences of this decision as it percolates through the regulatory and enforcement process.
Maisa Frank represents clients in a variety of litigation matters. Whether conducting pre-dispute investigations, navigating litigation, or negotiating resolutions, Maisa’s advice and strategy is vital to clients facing ...
The information contained in this post is provided to alert you to legal developments and should not be considered legal advice. It is not intended to and does not create an attorney-client relationship. Specific questions about how this information affects your particular situation should be addressed to one of the individuals listed. No representations or warranties are made with respect to this information, including, without limitation, as to its completeness, timeliness, or accuracy, and Lathrop GPM shall not be liable for any decision made in connection with the information. The choice of a lawyer is an important decision and should not be based solely on advertisements.
About this Publication
The Franchise Memorandum is a collection of postings on summaries of recent legal developments of interest to franchisors brought to you by Lathrop GPM LLP.
To subscribe to monthly emails for The Franchise Memorandum, please click here.