Global Privacy—A Baker & McKenzie Client Alert
Submitted by Michael Mensik
The European Directive and Global Data Transfers
A Practical Analysis of the New ICC Contract Clauses
The European Commission (“EC”) recently issued a decision that changes the regulatory landscape regarding global personal data transfers. Specifically, prompted by the International Chamber of Commerce (“ICC”) and other business groups, the EC approved a new set of contract clauses that can authorize the cross-border transfer of personal data to the United States and other non-EU locations. For US multinational companies seeking a new option to address global data protection regulations, this new set of clauses may provide an attractive alternative. However, any US company that considers whether to adopt the new clauses must understand the specific terms in those clauses, and also must have a firm understanding of the relative advantages and disadvantages of those terms compared with the options available. This Client Alert
provides a brief introduction to these issues. Ultimately, despite several important features in the new ICC Clauses, companies will find that there is no “one size fits all” solution. Different companies will still (logically) choose different solutions, based on their particular business operations and situation, such as their size and location of operations, types of data flows, risk assessment and risk tolerance, litigation or claim experience, relationships with data transferors in the EU, and other factors.
I. EC DATA PROTECTION DIRECTIVE
The EC Data Protection Directive 95/46/EC (“Directive”) establishes a “minimum framework” of data protection requirements in the EU. These requirements apply to any collection, use, disclosure, or other processing of information about an identified or identifiable natural person in the European Union (“Personal Data”). As such, the Directive is “omnibus” and applies broadly to all industries and business sectors. The
Directive is more expansive in scope than any “sectoral” privacy law in the United States, such as the consumer financial privacy provisions under the Gramm-Leach-Bliley Act (“GLBA”) or the health and medical privacy provisions under the Health Insurance Portability and Accountability Act (“HIPAA”).
For example, Personal Data under the Directive includes a broad range of information about a company's employees, such as name, performance data, compensation information, health or medical benefits data, and the like. Personal Data also includes information about consumers, such as name, demographic information, credit card and payment information, consumer purchases, certain data captured through cookies and website activities, and the like. In addition, the term Personal Data also reaches to certain information about the representatives of corporate customers, suppliers, and other legal entities, such as contact information or CRM data about purchasing agents of corporate customers.
A. DIRECTIVE REQUIREMENTS
In general, the requirements in the Directive can be divided into two “big picture” categories: 1) compliance obligations that apply in the local EU country (“Local Compliance Requirements”); and 2) restrictions on cross-border data transfers to jurisdictions outside the European Economic Area (“Cross-Border Transfer
Restrictions”).
1. Local Compliance Requirements
The Local Compliance Requirements apply in the EU to organizations that obtain Personal Data and have the authority to decide the purposes and means by which such data will be used and processed (“data controllers”). The types of “local compliance” obligations that apply to data controllers include: (a) data collection, use, and disclosure requirements (e.g., limitations on collections, privacy notices, consents (especially for “sensitive” data), limitations on disclosures to third parties, imposing
privacy contracts on outsourcing providers and third parties, and the like); (b) obligations to respect the rights of data subjects (e.g., rights to access, review, and delete their data, opt out of direct marketing at any time, and the like); and (c) procedural requirements (e.g., filings with authorities, appointments of privacy officers, consultations with works councils and employee representatives, and the like). The specifics of these requirements vary from jurisdiction to jurisdiction, and US companies must therefore understand the particular rules for the jurisdictions in which they have operations. In addition, there are other requirements in the EU, beyond the Directive, that will affect the handling of Personal Data, such as separate restrictions on spam marketing, electronic communications interceptions, and the like.
2. Cross-Border Data Transfer Restrictions
Beyond the Local Compliance Requirements, the EC Directive generally prohibits the transfer of Personal Data to any third country outside the European Economic Area (“EEA”) unless there is “adequate protection” for such data in the jurisdiction where it is received (“Adequacy Requirement”). There are at least several situations where a data controller in the EU can transfer Personal Data to an organization in the United States without violating the Adequacy Requirement:
• The data controller in the EU and the recipient in the US adhere to a contract that
incorporates model contractual provisions issued by the European Commission
(“Model Controller Contract”);
• The recipient in the US has publicly and properly declared its adherence to the US -
EU Safe Harbor Privacy Principles (“Safe Harbor”);
• The data controller in the EU and the recipient in the US are subject to a set of
binding corporate rules that provide adequate protection for Personal Data
(“Binding Corporate Rules”); and/or
• The affected individuals in the EU have provided express consent for the transfer
(“Consent”).
The European Commission has also recently added to this list of options by approving an additional set of contractual clauses, as proposed by the International Chamber of Commerce and other business groups (“ICC Clauses”). Beyond this short list of options, some companies are seeking different solutions based on their own particular data flows, risk assessment, and other factors.
B. ICC CLAUSES
The ICC Clauses are a standard set of contractual terms that can authorize the transfer of Personal Data from the EU to data controllers in the US or other non-EU countries. For example, the ICC Clauses could be applied where a European subsidiary transfers internal employee Personal Data to its parent company in the United States for purposes of performance evaluations or other employment matters. The ICC Clauses may also be applicable where a European subsidiary transfers customer Personal Data to an affiliated company in the US in connection with managing the business, or promoting or marketing group products or services. The ICC Clauses also may apply where a European company transfers Personal Data to an unaffiliated business party or third party marketing firm in the United States.
Importantly, the ICC Clauses would probably not be directly applicable in situations where a company (or subsidiary) in the EU transfers Personal Data to a service provider or other “data processor” in the United States. Examples of such situations may include multi-jurisdictional human resources outsourcing or business process outsourcing transactions. In those instances, the EU company should consider the EC standard
contractual clauses for data processors (“Model Processor Contract”), or other regulatory solutions to address the data protection and regulatory issues in such transactions.
Regarding implementation, the ICC Clauses cannot be modified in any manner that would contradict, indirectly or directly, the clauses or the data protection rights of the data subjects. Companies must take the clauses “as is,” and therefore should consider all the provisions carefully. Businesses are, however, permitted to add provisions that do not affect the privacy protections in the clauses, such as indemnity rules. The EC
decision regarding the ICC Clauses is applicable as of April 1, 2005. An introduction to some of the differences between the ICC Clauses and the other options for transfers to US companies are provided below.
1. Model Controller Contract vs. ICC Clauses
The ICC Clauses have some distinct advantages over the Model Controller Contract, and also some disadvantages as well. The Model Controller Contract is - like the ICC Clauses - a set of standard contractual provisions that would be implemented in an agreement between the entity in the European Union transferring the data (called the “Data Exporter”) and the entity in the US receiving the data (called the “Data
Importer”). Both of these standard contract forms impose restrictions on the Data Importer regarding use, disclosure, security, and other aspects of data handling. Both also require the Data Exporter in the EU to warrant that its data handling practices comply with applicable local laws. In addition, neither contract form can be varied in a manner contradicts, directly or indirectly, the privacy protections in the standard terms.
In practice, companies have sometimes avoided using the Model Controller Contract because it contains: (a) express third party beneficiary rights for all the data subjects sue either the Data Exporter or the Data Importer for violations of the contract terms, and (b) joint and several liability for all parties to the contract. Both of these provisions are modified in the ICC Clauses. With regard to provision (a), the ICC Clauses contain express third party beneficiary rights for the data subjects to pursue the Data Exporters (i.e., the EU entities), but Data Importers are only subject to express third party beneficiary rights in a delayed manner.
Specifically, the third party beneficiary rights apply directly against the Data Importers only where the Data Exporters have failed to properly pursue the Data Importer for violations of the contract terms. In such instances, data subjects may seek relief in their home country against the Data Importer directly.
With regard to provision (b), the ICC Clauses have eliminated the joint and several liability regime in the Model Controller Contract. As a substitute, the ICC Clauses contain a “due diligence” process where the Data Exporter warrants that it has used reasonable efforts to determine that the Data Importer can satisfy its obligations under the contract. In combination with this, the ICC Clauses also contain enhanced provisions to allow EU data protection authorities to block or suspend data transfers in the event that a Data Importer refuses to cooperate in an audit, or where the Data Exporter fails to enforce the contract against the Data Importer in the event of a breach. In comparing these two options, the absence of the joint and several liability regime in the ICC Clauses may be particularly attractive where the contract is implemented between unaffiliated parties (where neither wants to be legally responsible for the privacy mistakes of the other).
On the other hand, the due diligence aspects of the ICC Clauses might be less attractive in certain situations where a US parent does not want its European subsidiary to conduct privacy inquiries regarding its activities in the United States. Ultimately, individual companies that have decided to use a contract-based
approach (and not the other options below) will need to evaluate carefully how the differences between the ICC Clauses and the Model Controller Contract will apply in their particular situation.
2. Safe Harbor vs. ICC Clauses
The Safe Harbor is a notably different type of vehicle than the ICC Clauses. The Safe Harbor is a self-regulatory privacy framework. It involves a public declaration by the US company that it adheres to seven Safe Harbor Privacy Principles (notice, consent, onward transfer, access, data security, data integrity, and enforcement) and the 15 explanatory texts called “Frequently Asked Questions” (“FAQs”). The benefits of Safe Harbor participation are assured when the company completes a self-certification with the US Department of Commerce that it adheres to the Principles. Any violations of the Principles by such companies will be actionable by the US Federal Trade Commission (“FTC”) or, where applicable, the Department of Transportation (“DOT”).
One important potential advantage to the Safe Harbor is that it typically does not require the implementation of contracts between the European entities and the US recipients. Depending on the circumstances, such as the number and type of EU entities transmitting data to the United States, this may represent a substantial savings of administrative burden and cost. It also may offer a marketing advantage for US companies seeking to do business in the European Union.
Another potential advantage is that there are no express third party beneficiary rights to sue the US recipient under the Safe Harbor. Data subjects have the right to make complaints to the company, and also to a mediation or arbitration process. But ultimately, the Safe Harbor provides that claims will be resolved by the FTC or the DOT as applicable (and not through individual litigation). In practice, a data subject could
always seek to find a tort or contract-based action against the US company, but such an action would not be based on express third party beneficiary rights in the Safe Harbor. At the same time, there are possible disadvantages to the Safe Harbor. The US company's name and additional information will be posted online on the US Department of Commerce's Safe Harbor List. This might raise the company's visibility on EU data
protection issues, and perhaps attract attention from European data protection authorities. Also, the US company will be subject to the authority of the FTC or the DOT for any violations of the Safe Harbor rules. Some US companies have noted that they would prefer to avoid FTC or DOT authorities on these issues.
Another possible disadvantage to the Safe Harbor - and indeed possibly an unavoidable one depending on the company's industry sector - is that participation in Safe Harbor is only open (at present) to entities that are actually subject to FTC or DOT authority. Financial services, telecommunications, and other industry sectors that are excluded from FTC and DOT authority are not eligible to join. In addition, it is worth noting that Safe Harbor is not a complete solution to the data protection issues in a multijurisdictional
outsourcing arrangement.
3. Binding Corporate Rules vs. ICC Clauses
The Binding Corporate Rules approach is available for situations where Personal Data is shared across the Atlantic among a group of affiliated companies. The approach essentially involves the imposition of a group-wide code of conduct for collecting and processing Personal Data.
In terms of advantages, the Binding Corporate Rules approach may be achieved without the “due diligence” procedures and third party beneficiary rules that are found in the ICC Clauses. Another advantage is that the group of companies can tailor the terms and descriptions of the rules so that they can be more easily understood and implemented by the company employees in the US and elsewhere.
A disadvantage to the Binding Corporate Rules approach is that they may require prior approval by local data protection authorities. This is not the case in all EU countries, but where applicable, it may require the expenditure of resources to negotiate with local authorities for approval of the proposed terms. Notably, the Article 29 Working Party of European Data Protection Authorities has issued an opinion paper supporting the concept of an “Binding Corporate Rules” approach. This opinion also indicated a desire of the authorities to move toward a “mutual-recognition” approach to these rules, such that if one Member State's authority approved a code, it would be recognized in other EU jurisdictions. Such a system has not yet been established, although would certainly be a logical methodology for handling these matters. Until such a system is established, Binding Corporate Rules may be a cumbersome and time-consuming approach when
implemented across multiple jurisdictions in Europe.
4. Consent vs. ICC Clauses
Consent is a substantially different type of approach than the ICC Clauses. Consent is usually obtained by having the data subject affirmatively indicate that his or her Personal Data can be transferred to a jurisdiction that does not provide adequate protection. Consent has the distinct advantage of avoiding many of the strict and unchangeable requirements of the ICC Clauses. The company drafts the consent form on its own
(although with reference to the applicable legal requirements), and therefore has control over the terms in the document. The Consent approach may also work particularly well in the online setting, where it is relatively easy to procure an appropriate click on an “I Agree” button or comparable feature.
The disadvantages to Consent include that it may not work well in all circumstances. For example, the Article 29 Working Party of Data Protection Authorities issued an opinion that casts doubt on whether a consent from an employee is valid in all circumstances. In particular, due to the perceived imbalance of bargaining power between the employer and the employee and other factors, such consent might not be “freely given” (a requirement for valid “consent”). Another possible disadvantage to Consent is that there
may be a “drop out” rate, where a percentage of individuals will not actually agree to consent.
II. BEYOND THE EUROPEAN UNION
Beyond the EU, there is a growing body of data protection and privacy requirements in non-US jurisdictions. For example, Argentina, Australia, Canada, Chile, Hong Kong, Japan,New Zealand, Switzerland, and other countries have adopted comprehensive data protection requirements, and more legislation has or will follow in other locations. In part, this is actually driven by the Directive, because these countries want to make sure that they provide “Adequate Protection” for data in a manner that allows the smooth flow of commerce between local companies and the European Union. US companies that do
business with such non-EU jurisdictions must therefore account for the local data protection requirements. In practice, the options for addressing the Adequacy Requirement in the EU tend to be the most mature and detailed cross-border vehicles available. The “solutions” to the cross-border transfer restrictions in non-EU countries tend to be based on the principles in the EU vehicles. Therefore, a company may wish to first consider how it will address the Adequacy Requirement in the EU, and then turn to determine how it would adapt that solution to the regulatory restrictions it faces in the rest of the world.
III. PRACTICAL ADVICE
At this stage, the process of selecting a suitable solution to global data transfer restrictions is more art than science. Companies should first develop a good understanding of the relative advantages and disadvantages of each option available. There are advantages and disadvantages of the new ICC Clauses vs. the other options
available to US companies. There are also differences among the other options themselves that should be considered (e.g., the advantages and disadvantages of Consent vs. Safe Harbor). Perhaps most importantly, companies must examine the relevant variables as they apply in their particular situation. At the end of the day, there is no “one size fits all” solution for all companies in all situations. Companies will need to make a tailored decision based on a variety of factors, such as the company's size and location of operations, types of data flows, risk assessment and risk tolerance, litigation or claim experience, relationships with the transferor entities in the EU, and other factors. experience, relationships with data transferors in the EU, and other factors.
For further information, contact
Brian Hengesbaugh
Tel: +1 312 861 3077
Fax: +1 312 861 2204
E-mail: brian.hengesbaugh@bakernet.com
Michael Mensik
Tel: +1 312 861 8941
Fax: +1 312 698 2290
E-mail: michael.s.mensik@bakernet.com
Lothar Determann
Tel: +1 415 984 3882
Fax: +1 415 576 3099
E-mail: lothar.determann@bakernet.com
|
