Time now for the second and concluding part of our our primer on data protection and ediscovery by Stephanie Blair, the founder and practice group leader of global law firm Morgan Lewis’s eData Practice and Laura M. Kibbe, of counsel in Morgan Lewis’s eData Practice…
When you receive an email and file it away, where does it go? Does it matter if you read it on your home laptop? While riding the subway to work? While on vacation on a tropical island? Is it stored on a server maintained by your company’s IT department? Or is it sent to a server maintained by an Internet service provider a continent away? These sorts of questions are becoming more common as globalization makes the world ever smaller. Moving these communications from one jurisdiction to another is at the heart of the conflict between data privacy and the requirements of justice and legal systems.
Where the law requires it, mechanisms are starting to evolve to allow such transfers to take place while maintaining data privacy and security as much as possible. Most of these methods have developed through bilateral or multilateral negotiation, and have involved both state actors and the private sector. This article will cover a handful of the most common methods of transfer between the United States and members of the EEA.
The Need for Transfer Solutions
The Directive allows for personal data to be processed and transferred, even outside the EEA with the consent of the data subject. Easy enough, right? Not exactly. Consents must contain specific instructions and government or other approval may even be required before approaching the data custodian. For example, in Germany, approval of the company’s works council is generally required before a data subject may be approached to give consent. At a minimum, this administrative step means that any transfer is not likely to happen quickly. The various DPAs have determined that consent must be freely given and fully informed, and the data subject must be able to be revoked it at will. The data controller must inform the data subject of the purpose for which the data will be used, which may not always be feasible in the case of an internal investigation. Even where consent is obtained, there is often a limit to the onward use of that information. Further complicating matters is that consent must be obtained from all data subjects. This goes beyond an email’s sender or a social media account holder. Anyone who can be identified by any of the data being transferred is a potential data subject, and would also have to give an informed consent.
The obvious impracticalities of this situation have led to a few accepted means for effectuating transfer without full consent. The first of these is a Safe Harbor Certification. This is a set of protocols that were developed by the European Commission and the U.S. Department of Commerce (“DOC”). This certification allows transfer from Europe to U.S. companies that self-certify on an annual basis that they are in compliance with these protocols and thus possess an “adequate” level of protection for the personal data being transferred. Only companies that are subject to the DOC or Federal Trade Commission (“FTC”) can avail themselves of Safe Harbor. To obtain certification, they must register with the Safe Harbor program and must be in compliance with seven principles:
- They must provide public notice as to their policies as to collection and transfer of personal data, the types of third parties to whom the data may be transferred, and the policies in place to limit the data’s use and disclosure. In this notice, they must provide information as to how the public can contact them with complaints or questions.
- Individuals must have the ability to “opt out” of having personal data disclosed to a third party or its use for any other purpose than that for which it was originally collected.
- They must ensure that any third parties to which they transfer data also adhere to the Safe Harbor provisions.
- Individuals must be able to determine what data about them the organization holds and they must have the ability to correct or delete any inaccurate information about them.
- Reasonable precautions must be in place to maintain data security and integrity.
- Reasonable steps must be in place to ensure the accuracy and completeness of the data for its intended use.
- There must be some sort of independent and reasonably affordable mechanism in place to remedy complaints and disputes, verify compliance with the requirements, and sanction non-adherence with enough force to ensure future compliance.
Safe Harbor can be a good option in the case of routine business transactions. However, the requirements of notice and consent can cause issues in the case of an internal investigation, or if a data subject revokes consent after data is already in the United States. Provisions related to onward transfer can also cause problems if the U.S. recipient becomes obligated to transfer the data to an adverse party or government agency due to subpoena.
Further complicating matters is the fact that Safe Harbor itself has recently come under attack. There have been calls to further strengthen the compliance requirements with the seven Safe Harbor principles (compliance certification is strictly voluntary and can be self-certified by the company), provide additional enforcement mechanisms, or scrap the program altogether. The European Parliament has gone so far as to recommend the complete dismantling of Safe Harbor. This is unlikely to happen; however, discussions are ongoing as to how to change the program to alleviate European concerns over transfer of personal data to the United States.
Standard Contractual Clauses and Binding Corporate Rules
If Safe Harbor is not an option, there are a few other, more administratively burdensome methods to effectuate processing and potential transfer internationally. The first is through Standard Contractual Clauses. These allow transfer to the United States or other countries with “inadequate” levels of protection. Both the sender and recipient of data must agree to be bound by contractual provisions that mirror those of the Directive. These provisions should be crafted very carefully to avoid claims for breach by data subjects. Companies may also have to notify the applicable DPAs in advance of any potential transfers of data outside the EEA. The European Commission has adopted several sets of model clauses that should be used without any modification (except to add additional clauses in some cases). DPAs can terminate data transfers at any time if the terms in the clauses are not met. In addition, they may be able to impose monetary fines and, in some countries, criminal penalties.
The biggest problem that most U.S. entities have with the use of these clauses is the provision for joint and several liabilities among U.S. and European counterparts. However, from a U.S. enforcement perspective, this clause can actually serve to shield the U.S. entity from liability under data privacy acts or EU law. This issue should be considered when deciding between the use of Safe Harbor certification subject to the United States, FTC, and Standard Contractual Clauses with no binding effect in the United States.
The other method allowing for onward transfer of personal data without consent of the data subject is BCRs. These are only available to companies within a corporate family group. The relevant DPAs must approve any BCRs that are proposed. These will protect transfer of personal data between entities in the same corporate family—even internationally. However, transfer outside of the corporate family to a third party would not be covered. These may prove useful when conducting an internal investigation, but it is important to remember that even preapproved BCRs are still subject to applicable regulations set by the data privacy acts. The use of BCRs recognizes the need for a global company to transfer data between subsidiaries and affiliates for legitimate business purposes. Many of the proposed privacy reforms acknowledge this need, particularly with respect to HR data that is most useful to a global company when consolidated in one location (trending, benefit administration, salary banding, etc.)
There are other mechanisms in place that can be used to effectuate transfer if none of these will serve. The Hague Service Convention and diplomatic rogatory letters have long been available. However, the process for obtaining transfer through their use is extremely cumbersome and expensive, and can take upwards of a year to complete. Several nations also have entered into mutual legal assistance treaties (“MLATs”). These were first adopted to promote information sharing in international tax matters. They are also often utilized when data transfer is needed in criminal matters or matters involving national security. The MLAT between Ireland and the United States has most recently been invoked in the matter of In re Warrant to Search a Certain Email Account Controlled and Maintained by Microsoft, ____ F. Supp. 2d ___ (S.D.N.Y., Apr. 25, 2014). In that case, U.S. authorities sought to enforce a warrant to search an email account maintained by Microsoft on servers located in Ireland. It is the opinion of Microsoft and the Irish authorities that the correct method to obtain that information would be through the MLAT. However, the U.S. courts have disagreed, stating that the U.S. Company has control over the information and the ability to access it without setting foot on Irish soil.
Best Practices and Recommendations
When managing the vast amounts of potential personal data generated on a day-to-day basis, it is certainly tempting to consolidate data storage and management. Keeping all data in a central location can make it easy to access, allow for uniform treatment, and maximize cost efficiency. However, if that data impacts data subjects, controllers or processors in disparate geographic locations, the ensuing headaches when the data is actually used can negate those benefits. The interplay between legal mandates and privacy rights can be difficult to maneuver through even within national borders. When you throw in the laws of multiple jurisdictions, matters become exponentially more complex.
At the other end of the spectrum, it may be tempting to compartmentalize data and keep it contained within individual countries as much as possible. This would certainly cut down on the potential risks inherent in international transfer. However, plans would have to be put in place to customize each jurisdiction’s data creation, storage, and use in line with local regulations. This can add layers of complexity and cost, and would still not solve the problems created if situations arise, requiring extra-jurisdictional transfer.
When deciding whether a consolidation plan is the right fit for your organization, consider whether there is a valid business purpose for any post-consolidation transfer of personal data. Also, be ever mindful of overarching principles of data protection and security.
A good consolidation plan should implement the following principles:
- Individuals should be notified that their data is being collected and informed them of its potential use,
- Individuals should be given the option to opt out of the collection or transfer of data,
- Any transfer to third parties should ensure that the data recipients also adhere to data-protection principles,
- There must be adequate protections in place to protect data against loss or breach,
- Individuals should be permitted to inspect their data and correct or delete inaccuracies, and
- There must be an effective mechanism to enforce these rules built into company compliance programs.
If you are contemplating consolidating data in the United States, consider the use of the mechanisms described above, in concert with a strong compliance and employee training program. Be sure to get a handle on back-door access to IT frameworks as well as all of the individuals who may be able to gain practical access to data. You may also want to consider a regional approach where data is consolidated to a certain degree without bringing it all into one jurisdiction. No matter which route you decide to take, be sure to work with experienced counsel to make sure that your plan avoids unreasonable risk and takes into account relevant local laws and regulations.