Personal Data Transfers from the European Economic Area: Time to Consider Binding Corporate Rules 2.0

This has become an increasingly important and common question as business becomes more global and companies grow, reorganise or merge.

There has been a lot of discussion, not least in the context of the European Commission’s proposal for the new EU regulation to replace the EU Data Protection Directive and the EU Article 29 Data Protection Working Party’s push towards ‘‘privacy by design’’, about the best way for companies to adequately safeguard personal data which is transferred out of the European Economic Area, thereby ensuring that their transfers are compliant with EU data protection laws relating to extra-EEA transfers.

Many commentators, including some of the key EU regulators, have noted that there remains a lot of confusion, and a fair amount of misinformation, surrounding the pros and cons of the various routes used to ensure that extra-EEA transfers are compliant. It is certainly true in the authors’ experience that even quite sophisticated companies and knowledgeable data protection officers can many times have an out of date view, and better solutions are indeed available.

This article looks at some of the common misconceptions and takes a fresh look at the key routes to ensuring compliance. As will be seen, for various reasons, Binding Corporate Rules 2.0, as we might call them, are worthy of fresh consideration, even where they may have been overlooked or discounted as a way to ensure compliance only very recently.

What Does EU Law Say about Extra-EEA Transfers?

By way of recap, the law in the European Union is such that personal data can be transferred to a country or territory outside the European Economic Area only if that country or territory ensures an adequate level of protection for the rights of individuals in relation to the processing. The European Commission has, of course, drawn up a list of countries or territories which are deemed ‘‘adequate’’ for this purpose, this narrow list containing the likes of Argentina, Switzerland, Israel and, more recently, New Zealand. Conspicuous by their absence from this list, however, are a number of large countries where multinationals typically operate or are headquartered, such as the United States. If a company wishes to transfer personal data outside the European Economic Area and an importer is not on the European Commission’s ‘‘adequate list’’ (being based in, say, the United States), then such an exporter has to rely on another ‘‘route’’ to ensure its transfers are compliant with, and not in breach of, EU law.

In terms of the alternative routes available, at least in theory, an exporting entity could form its own view that a third country/importing entity ensures an adequate level of protection. However, the general consensus is that this practice comes with a serious health warning, to the extent that this should be relied on only in the most clear-cut cases. There is absolutely no guarantee that an EU regulator’s view would align with the exporting entity’s, meaning that entity could find itself in considerable hot water, namely, on the end of an enforcement notice preventing the transfer (which could cause a great deal of inconvenience to even the smallest of businesses with international operations) and/or a fine.

On the issue of fines, one noteworthy development is, of course, that the powers for EU regulators to fine those found to be non-compliant have significantly increased recently. By way of example, the UK Information Commissioner has been empowered to issue on the spot fines of up to £500,000 (U.S.$761,886) for more serious breaches since April 2010, and discussions in the European Union suggest that even larger fines, of up to 2 percent of global turnover (revenue), may well be with us soon.

Another option for an exporter is to try to rely on one of the exceptions which permit a transfer, such as by obtaining the consent of the individual concerned to the transfer. It is fair to say, however, that this is most certainly not as simple as it sounds. In practice, it can be very difficult to get this right, not least because many regulators interpret this very narrowly indeed (the Dutch view, for example, being that there is a presumption that consent can almost never be freely given by an employee to an employer, given the bargaining position of the parties).

So what about the remaining options available to ensure that personal data transfers from the European Economic Area are compliant?

EU-U.S. Safe Harbor Program

Let’s look at the EU-U.S. Safe Harbor Program, which for a number of years has been viewed by some as one of the better ways to comply. However, recent developments, and some serious downsides that are often overlooked, should be considered in the mix before choosing this as one’s ‘‘solution’’.

Whilst this scheme has relative simplicity as one attraction, and is unlikely to disappear anytime soon, support for the scheme does appear to be waning in some EU quarters, particularly because it is viewed as inadequately dealing with the issue of onward transfers once personal data arrives in the United States.

In addition, it addresses only transfers from the European Economic Area to the United States, and so is of limited help for global companies.

A further important aspect, and one that is often over-looked, is that, by signing up to the scheme, one exposes oneself to liability and enforcement action in the United States.

Of note is the fact that the U.S. Department of Commerce and the U.S. Federal Trade Commission have responded to recent criticism by saying they will be increasing scrutiny and enforcement.

Download: Personal Data Transfers from the European Economic Area: Time to Consider Binding Corporate Rules 2.0