Webinar: US-EU Safe Harbor
Framework Declared Invalid
Bruce Heiman (Washington DC)
Ignasi Guardans (Brussels)
Etienne Drouard (Paris)
© Copyright 2015 by K&L Gates LLP. All rights reserved.
What happened?
klgates.com
1
The Schrems Case (Ruling C-362/14)
* 9/25/13 Irish DPA receives complaint from citizen on FB
transferring his data to US DPA
• States it has no right to verify data transfer, only EC can, based on EC
Decision 2000/520 (Safe Harbor decision)
• Schrems takes DPA to Irish High Court
* 7/17/14: Irish High Court asks the CJEU for preliminary
ruling
• Is the Irish DPA bound by the EC findings on protections of data transfer to a
3rd state?
• Can the DPA carry its own investigation?
* 10/6/15: CJEU ruling C-362/14
• EC decision 2000/520 can be reviewed and challenged at national level by
DPAs and courts
• But only the CJEU can declare it void
• EU Court reviews it, and declares it void
klgates.com
2
Why Is 2000/520 Declared Invalid?
(= What’s the test for a valid one?)
 Transfers of data can only be allowed IF 3rd country ensures
“adequate level of protection”: measured according to nonexhaustive list of circumstances
 The European Commission must assess level of protection of the
3rd country
 According to laws & practice.
 Reliability check: effective detection & supervision mechanisms in
case of infringement
 But EC acknowledges that:
 National security, public interest, or law enforcement requirements have
primacy over the safe harbor principles
 No legal protection: data subjects have no administrative or judicial
means of redress (FTC only for commercial disputes)
klgates.com
3
Why Is 2000/520 Declared Invalid?
(= What’s the test for a valid one?)
 Derogations to protection of personal data can apply only if
“strictly necessary”. Not the case: no objective criterion
determining limits of access by public authorities and its use for
purposes that are “specific, strictly restricted, justifying the
interference”
 “Generalized” storage of and access to personal data by
authorities compromise the “essence of the fundamental right for
private life”
 Effective judicial review is inherent to existence of rule of law
 The EC failed to prove “that US in fact ensures adequate level of
protection”: Decision 2000/520 establishing equivalent “adequate
level of protection” is invalid
klgates.com
4
Essentially, Two Issues Make Safe Harbor Invalid
These two issues will make a new agreement acceptable in the EU:
 US Government has access to personal information “without
limitation”
 EC had already raised concerns that access is beyond what is “strictly
necessary and proportionate” to protect national security
 EU citizens cannot pursue legal remedies to access and correct
data
 EC had already raised concerns that there is “no administrative or
judicial means of redress” for access and ability to rectify or erase data
klgates.com
5
Who May Be Impacted?
‘Personal Data’ Under the EU Framework
Directive 95/46
 Article 2.a)
 “[…] Any information relating to an identified or identifiable natural
person (‘data subject’) […], directly or indirectly, […] by reference to an
identification number or to one or more factors specific to his physical,
physiological, mental, economic, cultural or social identity.”
 Whereas 26
 “[…] account should be taken of all the means likely reasonably to be
used either by the controller or by any other person to identify the said
person.”
Opinions from the “Article 29 Working Party”
 http://ec.europa.eu/justice/data-protection/article-29/documentation/opinionrecommendation/index_en.htm
klgates.com
7
Are You Subject to EU-US Data Transfer Regulations?
1.
Your company or group of companies is composed of:
A US company
1.1.
with personnel, and/or subsidiaries, and/or affiliates, and/or holding/mother
company in the EU
1.2.
using technical infrastructures (including e.g. servers) or service providers
located in Europe
1.3.
with commercial partners located in Europe
(wholesalers, retailers, distributors, licensees…)
2.
NO
An EU company
2.1.
with personnel, and/or subsidiaries and/or affiliates, and/or holding/mother
company in the United States
2.2.
using technical infrastructures (including e.g., servers) or service providers
located in the United States
2.3.
with commercial partners located in the United States (wholesalers, retailers,
distributors, licensees…)
3.
YES
A US company operating services entirely from the United States and/or
a non-EU country, directed at customers in Europe (draft EU Regulation)
klgates.com
8
Who May Be Impacted in Practice?
Note:
 Situations listed hereafter should be read with the following assumption:
 “… for the processing of personal data, browsing and localization data, or
behavioral data, which may relate, directly or indirectly, to an individual
(employee, customer, etc.)”
klgates.com
9
Which US Companies May Be Impacted?
Safe harbor certified US companies.
Non-safe harbor certified US companies:
 that are not bound by group-wide “Binding Corporate Rules” (“BCR”).
 that have not executed EU-compliant data transfer agreements with:
 their EU mother company, sister companies, affiliates, contractors,
subcontractors, service providers, business partners
 that receive or access personal data from the EU without:
 the data subjects’ consent to the transfer to the US
klgates.com
10
Which EU Companies May Be Impacted?
EU companies sending data to US mother company, sister companies,
affiliates, contractors, subcontractors, service providers, business
partners
EU companies sharing databases with their US mother company,
sister companies or affiliates
 without any EU-compliant data transfer agreement in place
 without any BCR in place
 without the data subjects’ consent
klgates.com
11
What Are the Risks?
Popular Solutions Under the Current EU Laws
Execute EU-compliant data transfer agreements
 Model clauses from the EU Commission
 Description of data, purposes and security measures
 Amend existing notifications with the data protection authority (“DPA”) re.
grounds for data transfer
Implement group-wide “Binding Corporate Rules”
 Binding list of data protection commitments
 Approval of the BCRs by the competent DPAs
 One representative EU entity liable before competent DPAs
 All group entities liable before the representative EU entity
Obtain consent from data subjects
 Explicit, specific, freely given, discretionary, waivable…
 Impracticable?
klgates.com
13
Data Transfer Assessment
Data Transfer Assessment
Perform a data transfer audit
 Data transfers tailored checklist
 IT/Commercial/outsourcing contracts review
 Look for references to “safe harbor”
 Look for data transfer agreements
Classify and prioritize
 Intra-group transfers
 Transfers to clients
 Transfers to contractors or subcontractors
Assess the most effective and practicable legal solution, following the
priorities previously defined
klgates.com
15
Example of Data Transfers Standard Check List (US)
We are a US company and we do:
YES
NO
Access/extract HR data from our European-based affiliates
Access/extract CRM data from our European-based affiliates
Access/extract accounting data from our European-based affiliates
Implement a global anti-money-laundering and/or SOX compliance framework from the
United States
Enforce and control a global IT policy from the United States
Draw statistics about our European employees/customers based on any of the following:
health conditions, race, ethnicity, trade union membership, criminal offenses or allegations,
religion, sexual orientation
Consolidate/assess a biometric database (e.g., fingerprint, hand shape, iris) for employee
access control or other purposes
Consolidate/access a genetic database
Operate a global active directory including our European employees
Operate data centers in the EU
Outsource data hosting in the EU
Host data from our EU affiliates
Host data from our EU service providers
Operate global IT infrastructures from the United States
klgates.com
16
Example of Data Transfers Standard Check List (EU)
We are a European company and we do:
YES
NO
Use global IT services, tools and/or servers provided by our US affiliate/mother company
Outsource IT services to subcontractors in the United States
Outsource IT infrastructures to subcontractors in the United States
Outsource hosting activities to subcontractors in the United States
Outsource medical analysis to subcontractors in the United States
Share our database with our affiliates/mother company in the United States
Provide our subcontractors in the US with accesses to our EU database
Provide information related to health conditions, race, ethnicity, trade union membership,
criminal offenses or allegations, religion, sexual orientation, to our mother company in the
United States for statistical purposes
Share an online recruiting tool and database with our affiliates/sister companies/mother
company in the United States
Outsource biometric security services to subcontractors in the United States
Benefit from biometric security services provided and managed / operated by our mother
company in the United States
klgates.com
17
EU Next Moves
Policy / Regulatory Follow-up in the European
Union
EC VP
Franz
Timmermans
EC
Commissioner
Verá Jurovà
European
Parliament
LIBE
Committee
Article 29
Working Party
klgates.com
19
US Next Moves
Will a US-EU Safe Harbor 2.0 Provide Relief
From the ECJ/EU Privacy Regulation Storms?
klgates.com
21
Safe Harbor 2.0 Negotiations Were in Final Stage…




Impact of 2013 Snowden disclosures (June 2013)
EC’s 13 Recommendations for Improvement (November 2013)

Transparency

Enforcement

Redress

Access by U.S. Authorities
Increased FTC enforcement (January 2014)
Key Issue Recommendation 13 – National Security exception


“Strictly necessary or proportionate”
Note parallel initiative – EU-US umbrella agreement
 Protection framework for data transfers for law enforcement purposes
 EU citizens should have same privacy rights and remedies available to US
persons
klgates.com
22
Need to address two prongs of ECJ decision


USG unrestricted access to information

PRISM program disbanded

Section 215 bulk collection of telephone
meta data ended (USA Freedom Act)
?
Final resolution of “strictly necessary and
proportionate”
EU citizens ability to access and correct data

Judicial Redress Act (H.R. 1428)

Legislative prospects
klgates.com
23
Commerce Secretary Pritzker Reaction
“Since 2000, the Safe Harbor Framework has proven to be critical to
protecting privacy on both sides of the Atlantic and to supporting
economic growth in the United States and the EU. We are deeply
disappointed in today’s decision…”
“For the last two years, we have worked closely with the European
Commission to strengthen the U.S.-EU Safe Harbor Framework, with
robust and transparent protection, including clear oversight by the
Department of Commerce and strong enforcement by the U.S. Federal
Trade Commission.”
“The court’s decision necessitates release of the updated Safe Harbor
Framework as soon as possible.”
klgates.com
24
Q&A With K&L Gates Presenters
Bruce J Heiman
Partner, Public Policy and Law – Washington DC
+1.202.661.3935
bruce.heiman@klgates.com
Ignasi Guardans
Partner, Public Policy and Law – Brussels
+32.(0)2.336.1949
ignasi.guardans@klgates.com
Etienne Drouard
Partner, Privacy, Data Protection and Information Management – Paris
+33.(0)1.58.44.15.12
etienne.drouard@klgates.com
klgates.com
25