privacy shield boot camp 2016 - practising law...

© Practising Law Institute

To order this book, call (800) 260-4PLI or fax us at (800) 321-0093. Ask our Customer Service Department for PLI Order Number 190944, Dept. BAV5.

Practising Law Institute1177 Avenue of the Americas

New York, New York 10036

Privacy Shield Boot Camp 2016

INTELLECTUAL PROPERTYCourse Handbook Series

Number G-1291

ChairHarry A. Valetk


21

Bloomberg BNA: World Data Protection Report—The EU-U.S. Privacy Shield Versus Other EU Data Transfer Compliance Options; Volume 16, Number 8 (August 2016)

Submitted by: Brian L. Hengesbaugh

Baker & McKenzie LLP

Reproduced with permission from World Data Protection Report, 16 WDPR 08, 8/25/16. Copyright © 2016 by The Bureau of National Affairs, Inc. (800-372-1033) http://www.bna.com

COPYRIGHT © 2016 BY THE BUREAU OF NATIONAL AFFAIRS, INC., WASHINGTON, D.C.

If you find this article helpful, you can learn more about the subject by going to www.pli.edu to view the on demand program or segment for which it was written.

315


316


Reproduced with permission from World Data ProtectionReport, 16 WDPR 08, 8/25/16. Copyright � 2016 by The Bu-reau of National Affairs, Inc. (800-372-1033) http://www.bna.com

E U - U . S . P r i v a c y S h i e l d

Baker & McKenzie attorneys discuss the pros andcons of the recently-approved EU-U.S. PrivacyShield and compare it to other options availablefor cross-border data transfers from the European

Economic Area to the U.S. When companieschoose an appropriate compliance mechanism toestablish adequate safeguards for data importersand onward transferees outside the EEA, theyshould carefully analyze their particular situation,the authors write.

The EU-U.S. Privacy Shield Versus Other EU DataTransfer Compliance Options

By Lothar Determann, Brian Hengesbaugh and MichaelaWeigl

Since Aug. 1, 2016, companies in the U.S. can join theEU-U.S. Privacy Shield Program operated by the U.S.

Department of Commerce (European Commission De-cision 2016/1250 of July 12, 2016) . More than 70 com-

News and analysis of data protection developments around the world. For the latest updates, visit www.bna.com

International Information for International Business

WORLD DATA PROTECTION REPORT >>>

BNA International Inc., a subsidiary of The Bureau of National Affairs, Inc., U.S.A.

VOLUME 16, NUMBER 8 >>> AUGUST 2016

317


panies joined almost immediately . Others are consider-ing if and when they should join and what alternativesthey have.

I. How Can U.S. Companies Join the PrivacyShield?

U.S. companies can certify online to Commerce thatthey comply with the Privacy Shield Principles after theyconduct and document a self-assessment. Commerce re-views the applicants’ submission information and privacypolicy and can also request information regarding on-ward transfer agreements. See, Privacy Shield AdequacyDecision, L 207/51, Accountability For Onward Trans-fer, 3.a.(vi).

II. Why Should U.S. Companies Join the PrivacyShield?

U.S. companies consider joining Privacy Shield for easeof doing business with European companies and cus-tomers.

Companies established or using equipment in the Euro-pean Economic Area (EEA)—the 28 EU member statesplus Iceland, Liechtenstein and Norway—are prohibitedfrom sharing personal data with affiliates, vendors, cus-tomers and anyone else outside the EEA, unless an ad-equate level of data protection in the recipient jurisdic-tion is assured or an exception or derogation applies.This prohibition stems from the EU Data Protection Di-rective of 1995 (95/46/EC) (EU Data Protection Direc-tive) and a comparable requirement will continue to ap-ply when the new General Data Protection Regulation(GDPR) becomes effective on May 25, 2018 (see Art. 25of the EU Data Protection Directive and Art. 44 of theGDPR). In the Directive and in Art. 4 No. 1 GDPR, theterm ‘‘personal data’’ is broadly defined to include anyinformation relating to an identifiable individual. Art. 4No. 1 GDPR defines ‘‘personal data’’ as follows:

... ‘‘personal data’’ means any information relating toan identified or identifiable natural person (‘‘datasubject’’); an identifiable natural person is one whocan be identified, directly or indirectly, in particularby reference to an identifier such as a name, an iden-tification number, location data, an online identifieror to one or more factors specific to the physical,physiological, genetic, mental, economic, cultural orsocial identity of that natural person.

Practically, companies cannot conduct any businesswithout sharing at least some contact informationand many transactions require more intensive infor-mation sharing. Therefore, companies in the EEAneed to ensure adequate data protection safeguardsto do business or otherwise transmit data outside theEEA.

Brian Hengesbaugh and Amy de La Lama, Cross-BorderData Transfers, 520 Privacy & Data Security Practice Port-folio Series (Bloomberg BNA).

Companies in the European Economic Area need to

ensure adequate data protection safeguards to

do business or otherwise transmit data outside the

EEA.

The European Commission has approved a few coun-tries as generally assuring adequate data protection lev-els, including Argentina, Canada, Israel New Zealand,Switzerland and Uruguay, but has not issued a blanketadequacy finding for all of the U.S., even though U.S.data privacy laws are in many respects more specific, ef-fective and up to date than data protection laws in Eu-rope and other countries. Lothar Determann, Adequacyof data protection in the USA: myths and facts, InternationalData Privacy Law (forthcoming, 2016); US-Datenschutzrecht—Dichtung und Wahrheit, NvWZ2016, 561.

In 2000, the European Commission issued a uniquelylimited adequacy finding for the U.S. whereby U.S. com-panies would be deemed to assure adequate data protec-tion if they joined a ‘‘Safe Harbor’’ program that theU.S. Commerce Department had agreed with the Euro-pean Commission to enable U.S. companies to satisfyEU adequacy requirements. Fifteen years and approxi-mately 4,500 company registrations later, the Court ofJustice of the European Union (CJEU) invalidated theCommission’s adequacy decision from 2000 on Oct. 6,2015 due primarily to concerns that the Safe Harbor it-self did not embed protections against U.S. law andpolicy on government surveillance. Case C-362/14,Maximillian Schrems v. Data Protection Commissioner, judg-ment of Oct. 6, 2015 ; L. Determann, U.S. Privacy SafeHarbor—More Myths and Facts, Bloomberg BNA Privacy &Security Law Report, 14 PVLR 2017 (2015) . For now,Commerce continues to maintain the Safe Harbor pro-gram, but has already announced that it is no longer ac-cepting new registrations, and will discontinue acceptingannual re-certifications for existing Safe Harbor compa-nies as of the end of October 2016.

After the CJEU challenge to the Safe Harbor program,the European Commission and Commerce intensifiedtheir work on a successor program, which they had beenworking on for a couple of years already. Brian Henges-baugh, Amy de La Lama, Michael Egan, European Com-mission Reaffirms Safe Harbor and Identifies 13 Recommenda-tions to Strengthen the Arrangement, Bloomberg BNA Pri-vacy & Security Law Report, 12 PVLR (2013) . Theycreated the EU-U.S. Privacy Shield program to addressall concerns that the CJEU had raised. On July 12, 2016,after obtaining all requisite approvals and engaging inappropriate consultations, the European Commission is-sued its decision finding that ‘‘the United States ensuresan adequate level of protection for personal data trans-ferred from the Union to organisations in the UnitedStates under the EU-U.S. Privacy Shield.’’ Article 1.1 ofthe Privacy Shield Adequacy Decision, L 207/35. See alsoGilbert/van der Heijden, EU-U.S. Privacy Shield 2.0

2

08/16 COPYRIGHT � 2016 BY THE BUREAU OF NATIONAL AFFAIRS, INC., WASHINGTON, D.C. WDPR ISSN 1473-3579

318


signed, sealed and delivered, Bloomberg BNA, Privacy &Data Security Law, July 28, 2016 (16 WDPR 07,7/28/16); Cooper/Kuschewsky/Coughlan, The EU-U.S.Privacy Sheld: What’s New and Whats’ Next?, BloombergBNA, World Data Protection Report, July 28, 2016; Koo,New EU-U.S. Data Transfer Pact May Face Court Challenges,Bloomberg BNA, Privacy & Data Security Law, July 25,2016 (16 WDPR 08, 8/25/16).12 As expected, certainpoliticians, activists and data protection authorities inthe EU immediately criticized the program and an-nounced plans to challenge it. McLellan, Felz, Beier-leinm, Enforcement Outlook: German Data Protection Authori-ties Eve Cross-Atlantic Data Transfers, Bloomberg BNA Pri-vacy and Data Security Law, August 1, 2016 (16 WDPR07, 7/28/16). However, speaking collectively, the Article29 Working Party of EU Data Protection Authorities af-firmed that Privacy Shield offers ‘‘major improvements’’as compared to Safe Harbor, and has issued statementsindicating that it will raise any ongoing concerns aboutPrivacy Shield in the context of the annual review of theprogram, and that the EU data protection authoritieswill not plan to challenge the program collectively for atleast a year.

III. What Other Hurdles to International DataTransfers Apply in the EEA?

Companies in the EEA have to overcome three hurdlesbefore they can lawfully transfer personal data to a com-pany in the U.S.: (1) generally applicable local compli-ance obligations, (2) general prohibitions on data pro-cessing, including data disclosures to third parties(whether domestic or international), and (3) prohibi-tions on international data transfers outside the EEA.Any violation at either level will cause the data transferto be ultimately unlawful. See non-binding guidance ofMarch 19, 2009 from European Commission Data Pro-tection Unit—Frequently Asked Questions relating toTransfers of personal data from the EU/EEA to ThirdCountries), p. 18.

1. First Hurdle: Local Compliance. Companies in theEEA have to comply with a number of formal and sub-stantive data protection law requirements. For a country-by-country overview, see Baker & McKenzie Global Pri-vacy Handbook (2016 Edition) and Determann’s FieldGuide to Data Privacy Law, 2nd Ed. (2015). Please alsosee Determann/Kramer/Stoker/Weigl, Going Global On-line, Basic E-Commerce and Data Privacy Considerations,Bloomberg BNA Privacy and Security Law Report, Jan.12, 2015, p. 6 seq. . These requirements apply regardlessof whether data is transferred or not.

Data controllers have to notify data subjects about all rel-evant details of data processing, including the legal ba-sis for the collection, use and other processing of per-sonal data (see Art. 13 and 14 GDPR), as automateddata processing is by default prohibited in the EEA. SeeMichaela Weigl, The EU General Data Protection Regu-lation’s Impact on Website Operators and eCommerce,Comp. Law Rev. Int’l, August 2016, p. 102-108. Compa-nies can justify data collection with consent from the

data subject, a need to perform contractual obligations,statutory requirements to collect data, legitimate inter-ests and a number of other reasons (see Art. 6 GDPR).

Some EEA member states also require that companiesnotify national data protection authorities or appointdata protection officers. Lothar Determann and DeniseLebeau-Marianna, Getting a Grip on International Data Pro-tection Authority Filings, 10 BNA Privacy & Security LawReport 639 (2011) (11 WDPR 31, 10/28/11); LotharDetermann and Christoph Rittweger, German Data Protec-tion Officers and Global Privacy Chiefs, BNA Privacy & Secu-rity Law Report (2011) . Under the GDPR, more compa-nies will have to appoint data protection officersthroughout the EEA and notification requirements maybe reduced or abolished (Art. 37 and recital 89 of theGDPR respectively).

2. The Second Hurdle: Disclosures. Even if a companyis perfectly in compliance with local data privacy laws(first hurdle) and it also meets the specific requirementsfor transfers outside the EEA (third hurdle, discussednext), it is not a given that such a company may disclosea particular item of personal data at all to another datacontroller. Even a wholly-owned, closely-held subsidiarythat discloses personal data to its parent company in thesame or in another EEA member state has to justify thedisclosure. Thus, as a second hurdle to internationaldata transfers, the company in the EEA has to make acase for why the disclosure is permitted despite the gen-eral prohibition on processing. This second hurdle is of-ten overlooked by companies focusing on the first andthird hurdle.

As with respect to any other processing, companies cantheoretically justify disclosures by obtaining valid con-sent or demonstrating a necessity to transfer data in or-der to perform a contract with the data subject or com-ply with local laws. But, data subjects tend to be reluc-tant to agree to data disclosures and contractualnecessities are often not clearly present to justify trans-fers. For example, an employer needs to collect and pro-cess certain personal data to pay its employees, monitorand reward their performance, provide benefits cover-age and report and withhold taxes, in accordance withcontractual and statutory obligations as an employer.But, it is less clear whether the employer may also dis-close employee information to its ultimate parent com-pany, which is a common practice in many multinationalgroups.

Even a wholly-owned, closely-held subsidiary that

discloses personal data to its parent company in the

same or in another European Economic Area

member state has to justify the disclosure.

Many multinationals may be able to refer to legitimateinterests in this respect (see Art. 6 (f) GDPR, recital 48GDPR); specifically, small subsidiaries without humanresources department may be able to demonstrate legiti-mate interests or even a contractual necessity for trans-12

3

WORLD DATA PROTECTION REPORT ISSN 1473-3579 Bloomberg BNA 08/16

319


fers to a 100 percent parent company that manages pay-roll and other human resources functions for its smallersubsidiaries. But, a larger subsidiary with stand-alone ad-ministrative functions may find it more difficult to justifydisclosures, because some of the functions and datacould also be kept locally.

There are good arguments that multinational businesseswill succeed in showing needs for human resources dis-closures regarding some data categories that the U.S.parent company legitimately needs, e.g., for cross-borderprojects and career management, secondments and em-ployee stock option grants. Also, subsidiaries in the EEAthat act as sales representatives for U.S. parent compa-nies should be permitted to disclose customer contactinformation based on legitimate interests for purposesof enabling the U.S. parent company to conclude andperform sales contracts with customers in the EEA. Simi-larly, companies may have to share certain customerdata with logistics providers (to deliver products) andmanufacturers (to support expeditious recalls or war-ranty support). But, independent resellers, for example,may find it more difficult to justify disclosures of con-sumer data to unaffiliated suppliers.

Where companies cannot otherwise justify data disclo-sures, they can also consider an engagement of the re-cipient company as a mere data processor under an ap-propriate data processing agreement. Companies do nothave to further justify data disclosures to service provid-ers if they concluded a data processing agreement thatcomplies with Art. 28 GDPR. There are good argumentsthat Art. 28 GDPR constitutes a statutory permission forthe processing if requirements are complied with, seeNiko Harting, May 10, 2016 CR-online.de Blog; and Lo-thar Determann, Data Privacy in the Cloud—Myths andfacts, 121 Privacy Law & Business 17 (2013); L. Deter-mann, EU Standard Contractual Clauses for Transfers of Per-sonal Data to Processing Service Providers Reassessed, BNAPrivacy and Security Law Report 10 PVLR 498 (2011)(11 WDPR 35, 4/29/11).

3. Third Hurdle: Transfers Outside the EEA. Companieshave to cross only the two hurdles previously discussedwith respect to data disclosures within the EEA or tocountries that the European Commission has generaldeclared to assure adequate safeguards, i.e., Argentina,Canada, Israel, New Zealand, Switzerland and Uruguayand others. The same applies with respect to U.S. com-panies that join the Privacy Shield, based on the ad-equacy decision of the European Commission of July 12,2016. But, with respect to any data transfers to othercountries outside the EEA or to U.S. companies that donot participate in the Privacy Shield program, compa-nies have to cross a third hurdle, namely the generalprohibition on international data transfers.

In this respect, companies in the EEA have a number ofdifferent options to make transfers subject to appropri-ate safeguards or otherwise qualify for derogations orother exceptions (see Articles 44 through 49 of theGDPR), including the following:

s explicit consent from the data subject;

s a need to perform a contract with or in the interestof the data subject;

s important reasons of public interest;

s the establishment, exercise or defense of legal claims;

s vital interests of the data subject or of other persons

s Standard Contractual Clauses; and

s Binding Corporate Rules (and, under the GDPR alsoapproved Codes of Conduct).

IV. What Requirements Do the Alternative DataTransfer Vehicles Present?

All alternatives come with strings attached, including thefollowing:

1. Consent and contracts.Companies can legitimizemany types of data processing and transfers by obtainingvalid consent from the data subjects, i.e., the persons towhom the data relates, or by undertaking contractualcommitments that necessitate the transfer (Art. 49.1 a)and b) GDPR). Valid consent and necessities under con-tracts can help overcome each of the three hurdles. But,consent is valid only if it is freely given, specific, in-formed and unambiguous, and it can be revoked at anytime (Art. 4 No. 11 GDPR), which can be challenging toachieve (e.g., in the employment context, employeesmay be viewed as having limited capacity to freely con-sent with their employer). The GDPR requires explicitconsent for the transfer outside the EEA and requirescompanies to explicitly warn data subjects about therisks of such international data transfers.

2. Standard Contractual Clauses.If a company withinthe EEA agrees with a company outside the EEA that thelatter will comply with Standard Contractual Clauses ap-proved by the European Commission for data transfersto controllers (Controller SCC 2004) or processors (Pro-cessor SCC 2010), then ‘‘adequate safeguards’’ are pre-sumed. Art. 46 para. 2 c) GDPR; Brian Hengesbaugh,Michael Mensik, Lothar Determann, Global Data Trans-fers and the European Directive—A Practical Analysis of theNew ICC Contract Clauses, BNA Privacy & Security Law Re-port, Vol. 4, No. 6, 2/7/2005, pp. 153-156 ; Lothar De-termann, EU Standard Contractual Clauses for Transfers OfPersonal Data to Processing Service Providers Reassessed, BNAPrivacy and Security Law Report 10 PVLR 498 (2011) .

Currently available Standard Contractual Clauses

will be grandfathered under the General Data

Protection Regulation unless and until the

Commission amends them or the Court of Justice

for the European Union invalidates the applicable

adequacy decision.

Currently available Standard Contractual Clauses will begrandfathered under the GDPR unless and until the

4


320


Commission amends them or the CJEU invalidates theapplicable adequacy decision (Art. 46.5 sent. 2 GDPR).In order to enjoy the benefit of the adequacy finding ofthe European Commission, the parties may not modifythe Standard Contractual Clauses in any manner thatwould contradict, indirectly or directly, the clauses orthe data protection rights of the data subjects (recital109 GDPR). Companies are in principle free to modifythe clauses or draft their own agreements from scratch,but such ‘‘homemade’’ agreements are subject to fullscrutiny by every EU member state and may trigger vari-ous additional requirements to notify or obtain approvalfrom local authorities (which can be time-consuming,costly and difficult to manage). But, companies are gen-erally permitted to add provisions that do not affect theprivacy protections in the clauses, such as indemnityrules, without implicating the European Commission’sbinding decision, as expressly noted in the StandardContractual Clauses.

3. Binding Corporate Rules. For intra-group data trans-fers, multinational groups can also submit to BindingCorporate Rules (BCRs), i.e., binding commitments thatreflect and safeguards compliance with EU data protec-tion laws on a group of companies. Art. 46.2(b) and 47GDPR. BCRs cannot legitimize data transfers to unaffili-ated entities, such as customers, suppliers, distributors,service providers, civil litigants, government agenciesand other entities. Art. 47 para. 2 GDPR sets out theminimum specifications that have to be included inBCRs, including, for example, the structure and contactdetails of the group of companies, the data transfers orset of transfers (including the categories of personaldata), the type of processing and its purposes, the typeof data subjects affected and the identification of thethird country, etc. Art. 47 para. 1 additionally providesthat BCRs must be legally binding and apply to and areenforced by the group companies and expressly conferenforceable rights on data subjects with regard to theprocessing of their personal data. The European Com-mission may specify the format and procedures forBCRs. Art. 47 para. 3 GDPR.

4. Approved codes of conducts or certification mecha-nisms. When the GDPR applies, companies may also be-come able to rely on codes of conduct that industry as-sociations develop if approved by data protection au-thorities and granted general validity by the EuropeanCommission. Also approved certification mechanisms is-sued by certification bodies or data protection authori-ties may provide appropriate safeguards after the GDPRcomes into effect (Art. 46.2 e) and f) GDPR in connec-tion with Art. 40 and 42 GDPR).

5. Other options. A few other options apply and compa-nies can mix and match. No one size fits all. Each op-tion presents different advantages and disadvantages inparticular scenarios. Notably, with some of these op-tions, companies cannot only address the third hurdledescribed in part III.3 of this article (international trans-fer prohibitions), but also the first and second hurdledescribed in parts III.1 and 2 respectively, i.e., generalcompliance obligations and disclosure restrictions. Thefollowing parts V and VI of this article focus on compari-

sons, advantages and disadvantages of the different op-tions to legitimize data transfers.

V. How Does Privacy Shield Compare to thePredecessor Safe Harbor program?

At first sight, the Privacy Shield Principles are moreelaborate and rigid than the Safe Harbor Program: In2000, the Safe Harbor Principles took up 2.5 pages andthe Commission’s adequacy decision 40 pages in the Of-ficial Journal of the EU; in 2016, the Privacy Shield Prin-ciples weigh in at 19 pages and the adequacy decision at112 pages. This increase in word count parallels thegrowth of EU data protection legislation from the 1995EU Data Protection Directive on 19 pages to the 2016GDPR on 88 pages.

More substantively, the Privacy Shield arrangement con-templates annual reviews and updating of the PrivacyShield Principles as well as a number of strengthened ornew privacy safeguards such as requirements regardingmore detailed privacy notices (calling out details on li-ability, access rights and dispute resolution), more ro-bust onward transfer contracts and access to such con-tracts by the Commerce Department, and data minimi-zation, data retention, independent recoursemechanisms at no cost to the individual, as well as pub-lication requirements relating to non-compliance. Com-panies that voluntarily leave the program must return ordelete all previously received personal data or continueto apply the Privacy Shield Principles to such data andrecertify compliance on a perpetual, annual basis. If theCommerce Department removes a company from thePrivacy Shield Program, the company must delete or re-turn previously collected data (Section 3 of Annex II).

Additionally, the U.S. Director of National Intelligenceoffered concrete and robust commitments to the EU in18 page-long undertakings accompanying the PrivacyShield Principles. Privacy Shield Adequacy Decision, L207/91. Previously, the U.S. President had already sig-nificantly reigned in National Security Agency surveil-lance and U.S. Congress had strengthened privacy pro-tections in the Judicial Redress Act and the USA Free-dom Act (repealing the infamous USA Patriot Act) as areaction to domestic and international concerns regard-ing mass surveillance revealed by Edward Snowden in2013. Lothar Determann and Teresa Michaud, U.S. Pri-vacy Redress and Remedies for EU Data Subjects, BloombergBNA Privacy & Security Law Report, 14 PVLR 206(2015) ; Lothar Determann and Karl-Theodor zu Gut-tenberg, On War and Peace in Cyberspace: Security, Privacy,Jurisdiction, Symposium 2014: The Value of Privacy, HastingsConstitutional Law Quarterly, 41 Hastings Const. L.Q., 1(2014).30

VI. How Does the Privacy Shield Compare toOther Data Transfer Options?

Companies can assess the available options (see III.3above) based on various different criteria, including thefollowing dozen:

30

5


321


1. Substantive compliance obligations. The PrivacyShield Principles of 2016, the Processor SCC 2010 andthe Controller SCC of 2004 were created over a span of12 years with input from different organizations, includ-ing the U.S. Commerce Department and the Interna-tional Chamber of Commerce. Each compliance vehiclecontains substantive terms that are intended to commitU.S. companies to core principles of EU data protectionlaws, but each document uses different verbiage and nu-ances, which will affect companies differently dependingon their business focus and overall situation. For ex-ample, the Privacy Shield Principles are specific regard-ing opt-out rights to onward transfers, dispute resolutionprocess, and data retention.

Each compliance vehicle contains substantive terms

that are intended to commit U.S. companies to

core principles of European Union data protection

laws.

The Processor SCC and Controller SCC contain moregeneralized descriptions on these issues, although it isexpected that these clauses will be updated with morespecificity in the coming months to respond to the rig-ors of GDPR. The specifics of the substantive compli-ance obligations companies must assume in BCRs willdepend on what they can achieve in their negotiationswith authorities for approval of their BCRs. With respectto emerging solutions, such as Codes of Conduct, thespecifics of the substantive requirements will depend onprivate sector proposals and views of data protection au-thorities in the approval processes. Where companiesrely on consent or contractual necessities, they definetheir substantive compliance obligations in the termsthey present to the data subjects in contracts and privacynotice forms, although the sufficiency of such terms maybe subject to review and approvals of authorities de-pending on national rules.

2. Flexibility and configurability. When companies areable to obtain consent or contractual agreements withdata subjects, they may have the great advantage thatthey can tailor the scope of the consent or contract totheir particular situation and avoid having to adapt tothe more regulated frameworks of the Standard Con-tractual Clauses, the BCRs, the EU-U.S. Privacy Shield,Codes of Conduct or certification schemes.

But, consent is valid only if consent is freely given, spe-cific, informed and unambiguous. For internationaltransfers outside the EEA consent additionally has to beexplicit. It is not always practical to meet these require-ments. Brian Hengesbaugh, Michael Mensik, and Amyde La Lama, Why Are More Companies Joining the U.S.-EUSafe Harbor Privacy Arrangement, International Associa-tion of Privacy Professionals (IAPP) Privacy Advisor(January 2010). Some types of businesses do not haveany direct relationship with data subjects and they cantherefore not approach the data subjects with a requestfor consent, e.g., cloud, SaaS or outsourcing service pro-

viders and companies that host data or websites to whichothers submit information that may include personal in-formation on EU residents.

Consent is valid only if consent is freely given,

specific, informed and unambiguous. For

international transfers outside the EEA consent

additionally has to be explicit. It is not always

practical to meet these requirements.

Businesses might also have difficulties meeting the ‘‘vol-untariness’’ requirement: For example, the data protec-tion authorities in most EEA member states presumethat employee consent is coerced, hence involuntary,given the typical imbalance of power in the employmentrelationship.See for example, Art. 29 Working Party,WP193, accessed August 7, 2016; L. Determann and L.Brauer, Employee Monitoring Technologies and Data Privacy–No One-Size-Fits-All Globally , 9 The IAPP Privacy Advisor,1 (2009); L. Determann, When No Really Means No: Con-sent Requirements for Workplace Monitoring, 3 World DataProtection Report 22 (2003) .

Additionally, recital 43 GDPR states that consent shouldnot provide a valid legal ground where there is a ‘‘clearimbalance’’ between the data subject and the controller,not providing examples for ‘‘clear imbalance.’’ The term‘‘clear imbalance’’ might be interpreted as already inter-preted by many data protection authorities in employ-ment relationships, however, it might also be extendedto other cases, e.g. if a consumer concludes a contractwith a company. In such case relying on consent couldbecome an unreliable solution. Most companies alsofind it challenging obtain and maintain consent with suf-ficient specificity, as technology, business practices andpurposes change constantly and force companies to up-date consent forms frequently.33 Another importantconsideration is that data subjects can revoke voluntaryconsent at any time. Therefore, in practice, companiesoften cannot – or do not wish to – rely on consent to le-gitimize international data transfers, at least not as thesole compliance measure.

Similarly, contractual obligations vis-a-vis data subjectsare not always in place or suited to justify data transfers.Some companies are able to bolster their position re-garding data subject consent by additionally creatingcontractual obligations that in turn create a necessity toengage in certain transfers. For example, if a companycontractually agrees with a data subject to retain certainthird parties in other jurisdictions to provide services or

33 It is worth noting that companies are required to notify datasubjects about the company’s data processing practices in any event,whether or not the company relies on consent (see Art. 13, 14 GDPR).Yet, data protection authorities and courts might apply higher stan-dards of scrutiny with respect to the amount of information that is re-quired to render consent informed and explicit, compared to a situa-tion where a particular data processing activity is permissible withoutconsent and notification of data subjects is required in the general in-terest of transparency.

6


322


information, or ship physical items to the data subject,then the company can justify the data transfers to thethird parties, as such transfers are necessary to performunder the contract. Some jurisdictions may apply lessstringent requirements to online contract formation asthey apply to consent under data protection laws, butmany European jurisdictions generally empower courtsto scrutinize the fairness of clauses in adhesion contractsbeyond the standards applied by U.S. law and jurispru-dence. See, L. Determann, Notice, Assent Rules for ContractChanges After Douglas vs. U.S. District Court, 12 BNA Elec-tronic Commerce & Law Report 32 (2007) ;L. Deter-mann and A. Purves, The Glue that Holds it Together: En-forceability of Arbitration Clauses in Click-Through Agreementsand Other Adhesion Contracts, 14 Electronic Commerce &Law Report (2009) .

3. Geographic and topical coverage. Companies canuse consent and contracts with data subjects with respectto all geographies, so these routes are suited to supportuniform approaches across geographies. Uniform topicalcoverage is more difficult, because consent and contrac-tual undertakings are often not an option in certainscenarios—for example, in the human resources context(where freedom to contract is limited and consentdeemed coerced) or due to a lack of direct contact withdata subjects or a business context that does not inducedata subjects to grant consent or conclude contracts.

Companies can also use data transfer agreements anddata processing agreements incorporating the StandardContractual Clauses to legitimize transfers of EEA datato any other country. But, the Standard ContractualClauses require a significant amount of detail regardingdata processing practices and purposes to be included inAppendices to the data transfer agreements, whichcauses many companies to prepare specific agreementsfor specific scenarios and this in turn can result in a mul-titude of limited transfer agreements as opposed to onecomprehensive set of rules for all geographies and top-ics. However, since under the GDPR companies are ob-ligated to prepare ‘‘records of processing activities’’which must contain, inter alia, the purposes of the pro-cessing, a description of the categories of data subjectsand of the categories of personal data, the categories ofrecipients and identification of third countries in case ofinternational data transfers (Art. 30 GDPR), companiesare required to map their data anyway.

BCRs, codes of conduct and certification schemes couldtheoretically provide a comprehensive set of rules andcover any jurisdiction and all data categories. However,BCRs are for intra-group transfers of personal data, i.e.,between affiliated companies only, and not for transfersof personal data to and from business partners, such assuppliers, customers, distributors, etc. (Art. 47.1 GDPR).And, companies may logically be reluctant to implementtruly global BCRs, because commitments required withrespect to EEA data may not be appropriate or afford-able for data from other regions or countries.

Implementing data transfer agreements based on

the Standard Contractual Clauses does not typically

take companies a lot of time in the intra-group

context.

The EU-U.S. Privacy Shield framework can be used totransfer data of any nature, intra-group and vis-a-visthird parties, but it only addresses data transfers fromthe EEA to the U.S. (or via the U.S. to third countries).It does not cover transfers from the EEA directly tocountries other than the U.S..

4. Implementation process and timing. Consent formsand contractual undertakings are relatively easy to pre-pare and implement in online click-through scenarios,but offline, negotiation and dealing with concerns orpush-back raised by data subjects can take a significantamount of time and efforts.

Implementing data transfer agreements based on theStandard Contractual Clauses does not typically takecompanies a lot of time in the intra-group context, be-cause the content of the contracts is largely prescribedand translations in all major European languages areavailable (courtesy of the European Commission). But,companies with many subsidiaries or particularly dy-namic corporate structures (think: acquisition or spin-off sprees) view the implementation of data transferagreements as a more significant burden, particularly iflocal operations are reluctant to execute the agree-ments. Moreover, getting unaffiliated business partnersto sign the forms can be challenging (although, moreand more sophisticated companies accept the formatand wording of the ‘‘official’’ Standard ContractualClauses as a necessity).

The greatest administrative burden under the Data Pro-tection Directive used to be and is currently associatedwith implementing BCRs. Firstly, companies have to de-cide on the content of the rules ‘‘from scratch’’: al-though there is guidance from authorities, no officialtemplates are available, and the publicly available prec-edents do not necessarily suit all companies. List of com-panies for which the BCR cooperation procedure isclosed; list with links to some approved BCRs. Moreover,BCRs require approval from data protection authoritiesin every EEA member state. Currently, 21 countries arepart of the mutual recognition procedure: Austria, Bel-gium, Bulgaria, Cyprus, Czech Republic, Estonia,France, Germany, Iceland, Ireland, Italy, Latvia, Liech-tenstein, Luxembourg, Malta, the Netherlands, Norway,Slovakia, Slovenia, Spain and the U.K.

Such mutual recognition procedure is quite burden-some and cost intensive. However, under the GDPR atleast the content requirements for BCRs are set-out:BCRs must (i) be legally binding, apply to and be en-forced by the group of companies, (ii) expressly conferenforceable rights on data subjects with regard to theprocessing of their personal data and (iii) fulfill certain

7


323


specifications outlined in Art. 47.2 GDPR (see Art. 47.1GDPR). Also, the competent supervisory authority mustapprove BCRs in accordance with the consistencymechanism, i.e., BCRs will formally be recognized acrossthe EU. The competent authority will be the supervisoryauthority of the main establishment (Art. 56 GDPR).The supervisory authorities must cooperate with eachother through the consistency mechanism (Art. 63GDPR). It remains to be seen, whether the approval pro-cess of BCRs will be less burdensome and time consum-ing under the GDPR.

By contrast, a registration under the EU-U.S. PrivacyShield framework is relatively easy (online filing only)and most EEA member states did not require companiesto seek prior approval with respect to data transfers toU.S. Safe Harbor participants, a privilege they may ex-tend to the EU-U.S. Privacy Shield program as it is alsoan ‘‘adequacy’’ decision. U.S. companies will want totake sufficient time before they submit to the EU-U.S.Privacy Shield framework, because they should conductthe required self-assessment and prepare the relevantdue diligence documentation in order to be prepared toanswer any questions from Commerce and/or any en-forcement actions by the U.S. Federal Trade Commis-sion (FTC).

Such a self-assessment should be undertaken and docu-mented in the context of any of the compliance options;in fact, the ICC Controller Clauses expressly require duediligence efforts as well. But, companies will have to con-sider the dynamics and implications of needing a corpo-rate officer to sign a declaration regarding complianceand self-assessment, a possible review process by thirdparty validators or dispute resolution process providersas well as the heightened scrutiny from Commerceand/or the FTC regarding applications to join the EU-U.S. Privacy Shield and onward transfer agreements.

It remains to be seen how fast the newly introduced pos-sibility to adduce appropriate safeguards to legitimizedata transfers through approved Codes of Conduct canbe implemented (it requires approval from the data pro-tection authority and a European Commission deci-sion). The same applies to the new certification mecha-nisms which require approval from the data protectionauthority or from the certification bodies.

5. Ongoing administration. The EU-U.S. Privacy Shieldprogram requires annual re-certification, but changes inthe practical details of data processing do not have to benotified to the U.S. Commerce Department. Certifica-tion schemes per Art. 42 of the GDPR will be limited toa maximum period of three years and may be renewed.Other compliance options require actions in case ofchanges (e.g., additional consent, updating contracts ormodifying BCRs), but no annual or routine actions inthe absence of changes. Approved Codes of Conductmay or may not require ongoing administration, de-pending on their individual rules.

6. Onward transfers. As companies decide on a mecha-nism to legitimize their data transfers from the EEA,they should look ahead and consider the implications ofeach compliance option for the data recipient outside

the EEA and its ability to share data originating from theEEA with onward transferees, such as external serviceproviders, business partners, government agencies (e.g.,in case of investigations, litigation or reporting obliga-tions) and other non-EEA affiliates (e.g., subsidiaries inNorth or South America or Asia).

As companies decide on a mechanism to legitimize

their data transfers from the European Economic

Area , they should look ahead and consider the

implications of each compliance option for the data

recipient outside the EEA

a. Onward transfer based on consent. If a U.S. company re-ceives the EEA data based on valid consent or a neces-sity to perform contractual obligations, the U.S. data im-porter does not assume any specific obligations, exceptas the U.S. data importer may commit to in the contextof the consent, or otherwise agree contractually with anydata exporter in the EEA. In the absence of contractualobligations, the U.S. data importer would not face anydirect restrictions under EU data protection law. Ofcourse, particularly in the context of HR data transfers,the U.S. data importer would be indirectly affected bycompliance obligations on its EEA-based subsidiaries,the data exporters. The European data exporters shouldnot allow the onward transfers, unless the data subjectshave been informed as necessary, and the transfers arecovered by the scope of the consent or necessity to per-form contractual obligations.

b. Onward Transfers based on Standard Contractual Clauses.U.S. companies that agree to the Controller SCC 2004and Processor SCC 2010 must pass on their obligationsverbatim to onward transferees. This is fairly easy toachieve in the intra-group context, but can be difficultor impossible with respect to some categories of unaffili-ated onward transferees, e.g., in the context of litigationpre-trial discovery, if a foreign government demands ac-cess to EEA data in the context of investigations (thiswill likely not be different under the GDPR), if a foreignregulator or law enforcement authority seeks to compelaccess or when dealing with business partners that donot otherwise have to or want to submit to EU data pro-tection laws. Brian Hengesbaugh and Michael Mensik,Global Internal Investigations: How To Gather Data andDocuments Without Violating Privacy Laws, BNA Interna-tional World Data Protection Report, Volume 8, Number7 (July 2008) (08 WDPR 3, 7/1/08). But, since many in-ternationally active business have become familiar withthe workings of EU data protection laws, it seems to be-come easier and easier to obtain signatures on onwardtransfer agreements that reference the Standard Con-tractual Clauses, particularly data processing agreementsbased on SCC 2010. The Model Controller Contractstend to be relatively easy to implement with respect togroup-internal data transfers and usually do not bringabout insurmountable obstacles with respect to onwardtransfers to unaffiliated entities.

8


324


Under the Model Controller Contract, the data import-ers outside the EEA are not explicitly obligated to imple-ment any particular mechanisms with respect to onwardtransfers to data processors. But, for various practicalreasons, data importers outside the EEA have to sign on-ward transfer agreements with data processors anyhow.Firstly, onward data recipients cannot be qualified asmere data processors unless they are contractually obli-gated to act only on behalf, in the interest and per in-structions of a data controller. Secondly, the data im-porter assumes full responsibility for all actions andomissions of its agents under the Model Controller Con-tract and therefore, has to pass on compliance obliga-tions and allocate commercial risks contractually to on-ward transferees.

c. Onward Transfers under EU-U.S. Privacy Shield. If a U.S.company registers with the EU-U.S. Privacy Shield, thensuch U.S. company would be primarily obligated to en-sure that it provides notice and choice to data subjectsprior to transferring data to other data controllers. Inorder to provide data subjects with ‘‘choice’’, the U.S.company would have to obtain affirmative consent re-garding sensitive data (i.e., personal information speci-fying medical or health conditions, racial or ethnic ori-gin, political opinions, religious or philosophical beliefs,trade union membership or information specifying thesex life of the individual); with respect to other data, anopportunity to opt out would suffice. An exception forintra-group transfers does not exist, so companies mayhave to offer ‘‘choice’’ also for data transfers to affiliatesunless they enter into group-internal data processing ar-rangements or rely on exceptions under EU data protec-tion laws per Privacy Shield Principle I.5. Privacy ShieldAdequacy Decision, L 207/49.

EU-U.S. Privacy Shield registrants are permitted to trans-fer data to data processors subject a contract and must(i) transfer personal data only for limited and specifiedpurposes; (ii) ascertain that the data processor is obli-gated to provide at least the same level of privacy protec-tion as is required by the Privacy Shield Principles; (iii)take reasonable and appropriate steps to ensure that thedata processor effectively processes the personal infor-mation transferred in a manner consistent with the datacontroller’s obligations under the Principles; (iv) re-quire the data processor to notify the data controller ifit makes a determination that it can no longer meet itsobligation to provide the same level of protection as isrequired by the Principles; (v) upon notice, take reason-able and appropriate steps to stop and remediate unau-thorized processing; and (vi) provide a summary or arepresentative copy of the relevant privacy provisions ofits contract with that agent to Commerce upon request(see Annex 2, II, 3 b) of the EU-U.S. Privacy Shield).These requirements are stricter than onward transferobligations under the Safe Harbor Principles.

d. Onward Transfers under BCRs. If a multinational busi-ness implements BCRs, it could cause all non-EEA basedentities to submit to the BCRs and thus cover all directand onward data transfers within the group. But, theBCRs do not cover any data transfers outside the group.Thus, groups with BCRs would still have to implement

other compliance mechanisms for any direct or onwarddata transfers to non-affiliated companies. If a groupcommits in BCRs that it will require onward transfereesto adopt the same BCRs or accept them with respect tospecific data transfers, such a requirement may be verydifficult to satisfy in practice as vendors and other unaf-filiated third parties will be hesitant to review, under-stand and commit to another organization’s customBCRs.

e. Onward Transfers under approved codes of conduct or ap-proved certification mechanisms. Approved codes of con-duct or approved certification mechanisms, requirebinding and enforceable commitments of the controlleror processor in the third country to apply the appropri-ate safeguards, including as regards data subjects’ rights.

The EU-U.S. Privacy Shield framework is largely a

creation of U.S. law and enforcement will likely

occur primarily in the U.S.

7. Submission to foreign law and jurisdiction. The con-sent and contractual undertaking route do not presentcompanies with any specific restrictions as to choice oflaw or jurisdiction (but general public policy limitationsapply, e.g., with respect to consumers and employees).The Standard Contractual Clauses, on the other hand,require the data recipients to submit to the data protec-tion laws and the jurisdiction of the courts of the EEAmember state from where the European company trans-fers the data and data subjects have a third party benefi-ciary right to enforce the data transfer agreements in alocal court. With respect to BCRs, the data protectionauthorities in each EEA member state where the BCRswill be implemented may demand similar protections inconnection with the approval process. Alternatively oradditionally, data subjects could try to enforce the Stan-dard Contractual Clauses and BCRs in U.S. courts.

The EU-U.S. Privacy Shield framework is largely a cre-ation of U.S. law and enforcement will likely occur pri-marily in the U.S.: Commerce will scrutinize submis-sions, handle challenges and possibly request informa-tion from organization that register. Also, the FTC is theprimary enforcement authority for Privacy Shield viola-tions. And, at least in principle, the FTC, State AttorneysGeneral and private plaintiffs can bring actions on un-fair competition, misrepresentation and breach of con-tract theories in connection with any compliance ve-hicles.

Courts in the U.S. and EEA courts may take jurisdictionbased on traditional rules of civil procedure. Also, withrespect to HR data, U.S. companies have to submit tothe jurisdiction and audits by EEA data protection au-thorities, even in the context of the EU-U.S. PrivacyShield program (Annex II, 5.d, Role of Data ProtectionAuthorities of the Privacy Shield Adequacy Decision).

8. Enforcement risks. Regarding Standard ContractualClauses and BCRs, enforcement actions have so far notyet publicized—neither in the U.S. nor the EU. In the

9


325


relatively few enforcement cases involving data transfersfrom the EEA to other countries, the European DataProtection Authorities have so far preferred to take ac-tion against the data exporter, i.e., the local entity thatwas fully obligated to comply with local data protectionlaws anyhow. At the same time, the validity of the Stan-dard Contractual Clauses themselves are currently sub-ject to scrutiny and may be modified by the Commissionproactively or struck down in a similar manner as theCommission decision regarding Safe Harbor.

With respect to the U.S. Safe Harbor program, on theother hand, the FTC had brought more than two dozenenforcement actions and companies that participated inthe program have also been subject to challenges to theprogram itself in Europe. Brian Hengesbaugh, LotharDetermann, Amy de La Lama, and Michael Egan, U.S.Federal Trade Commission Is Serious About Enforcement of theU.S.-EU Safe Harbor Framework, Baker & McKenzie Legal-Bytes Special Edition (February 2014). The U.S. Com-merce Department and the FTC have committed to en-forcing the Privacy Shield more rigorously than the SafeHarbor Program in the U.S. and challenges to the pro-gram itself are expected in Europe. Therefore, andbased on experiences with the Safe Harbor program,some U.S. companies are concerned about potentiallygreater risks of enforcement actions if they join the Pri-vacy Shield than if they rely on other compliance op-tions.

U.S.-based cloud or processing services providers

will likely sign up, because the EU-U.S. Privacy

Shield Principles and EU data protection laws

generally do not demand materially more in terms

of substantive compliance than what are otherwise

required in their services agreements.

9. Public relations and business benefits. In the earlyyears of the U.S. Safe Harbor Program, U.S. companiesadvertised their registration on consumer-facing web-sites, touted their registration status in whitepapers onprivacy-compliance, celebrated the program in commu-nications to employees in the EU and benefitted fromthe ability to ‘‘check the box’’ in responses to requestsfor proposals. More recently, the U.S. Safe Harbor Pro-gram was increasingly criticized in Europe and U.S.companies started to tone down their certification an-nouncements. U.S. companies that are in the business ofhosting or processing data for others (e.g., outsourcingservice providers, software-as-a-service companies) wereexpected to register for Safe Harbor and will likely beexpected to register also for the EU-U.S. Privacy Shieldprogram, and customers will unlikely see an extraordi-nary effort or benefit in such a registration (but take itas a given).

U.S.-based cloud or processing services providers willalso likely not worry much about signing up, because theEU-U.S. Privacy Shield Principles and EU data protec-

tion laws generally do not demand materially more interms of substantive compliance than what are otherwiserequired in their services agreements. U.S.-based dataprocessing service providers are also expected to agreeto data processing agreements based on the StandardContractual Clauses 2010. Companies that are not pres-sured by customers to sign up for the EU-U.S. PrivacyShield and do not want to expose their compliance ap-proach to the public eye might decide not to join thePrivacy Shield at this time, and implement data transferand data processing agreements only.

10. Stability. The EU-U.S. Privacy Shield will be re-viewed and possibly renegotiated annually by the Euro-pean Commission and Commerce. SCC are currentlychallenged. BCR requirements constantly evolve. Re-quirements for Codes of Conduct and Certifications arestill in the process of being developed. Data subjects canrevoke their consent to voluntary data processing at anytime. Currently, none of the options offer a great degreeof stability.

10. International Interoperability and non-EEA Data.Most U.S.-based multinationals are not only dealing withpersonal data and compliance requirements from theEEA. Increasingly, other jurisdictions are enacting or up-dating data protection laws and introduce additional ordifferent requirements. A company that registers underthe EU-U.S. Privacy Shield would not benefit from sucha registration with respect to personal data or require-ments from other jurisdictions, given that the programapplies only to data from the EEA and only to U.S. com-panies. But, companies that participate in the PrivacyShield program should be able to leverage their self-assessment documentation and privacy notices. Consent,data transfer and processing agreements, and BCRs canalso be leveraged for many other jurisdictions and modi-fied versions of SCC-based data transfer agreements ordata processing agreements are also useful internation-ally.

12. Formalities. The EU-U.S. Privacy Shield requires aformal compliance declaration from an officer of thecompany in connection with the initial certification andannual recertification. Participating companies arelisted on a public website maintained by Commerce,even if and after they withdraw from the program.

For the execution of contracts based on the SCC 2004and 2010 and any amendments, a signature from autho-rized company representatives is also required, but thesedo not have to be corporate officers. Many multinationalenterprises work with centralized powers of attorney tofacilitate the execution of routine contract amendments,e.g., when addresses of entities change. Companies donot have to publicly disclose their contracts.

Signature, publicity and other formal requirements re-lating to BCRs, Codes of Conducts and Certification varyfrom country to country. The European Commissionpublishes a list of companies that have obtained approv-als for BCRs.

Companies that rely on consents or contracts with datasubjects do not have to comply with formal signature re-quirements and are not added to published lists.

10


326


VII. Summary

No one size fits all. Each company (and business unitwithin decentralized organizations) has to assess its owndata flows, business needs and risk sensitivities, and thismay cause organizations to select different compliancemechanisms for specific countries, business lines, datacategories, use cases and other scenarios. With respectto cross-border data transfers from the EEA, multina-tional businesses must ensure that all three hurdles aretaken. When companies choose an appropriate compli-ance mechanism to establish adequate safeguards fordata importers and onward transferees outside the EEA,they should carefully analyze their particular situation,

for example, regarding data categories (sensitive or non-sensitive), data flows, processing needs, ability to obtaincontractual justifications or consent from data subjects,ability to implement contracts in the entire data transferchain and implications of a particular compliancemechanism for various other compliance steps and chal-lenges (such as disclosure requests in the context of liti-gation or government investigations, whistleblower hot-lines, employee monitoring, etc.). None of the availableoptions is superior for all companies and all circum-stances. But, companies that assess their particular situa-tion and all applicable PROs and CONs carefully will of-ten identify a clear favorite for particular data streamsand business lines.

11


327


12


328


13


329


NOTES

330