Ocean’s Apart: Data Transfers between the EEA and USA

May 19, 2010

Since the Data Protection Directive (95/46/EC) became effective in 1998, individuals, businesses and governments outside the European Economic Area have grappled with compliance with its terms (Articles 25 and 26) when sending personal data outside the EEA.[1] The Directive prohibits the transfer of personal data outside the EEA to countries that do not provide an ‘adequate level of privacy protection for natural persons‘ (Adequate Protection).  The theoretical underpinnings of the Directive and the European Commission’s determination of ‘adequacy’ are, at times, at odds with technology, modern business practice and the laws of many countries outside the EEA – specifically the USA. This article examines the current state of affairs between the USA and EEA concerning the lawful transport of personal data: philosophical differences, political priorities, the structure of each country’s data protection laws and the latest issues under consideration by the US Department of Commerce (DoC), Federal Trade Commission (FTC) and the Article 29 Working Party are all considered. 

Basic Differences Underlying Personal Data Issues 

The Directive is comprised of eight principles that define European data protection; it prohibits sending personal data outside the EEA to non-EEA nations that lack these protections.  A finding by the Commission of compliance with the Directive by outside nations is referred to as ‘adequacy’. There is no single comprehensive law in the USA regulating the collection, use, processing and protection of personal data and, as a result, the US has been deemed not to meet the adequacy requirement. Differences in philosophy and political structure underlying data protection and enforcement in the USA explain the European Commission’s view that the  the USA lacks ‘adequacy’.  

The approach to data protection in the USA is a voluntary, self-policing one based on the protection of property and a reasonable expectation of privacy rather than treating data protection as a single fundamental right. Regulation of data privacy in the USA, at both the state and federal level, is directed at protection of sensitive data in specific sectors such as health care, financial, credit, banking, and child protection (see Liz Harding’s article providing an overview of the US legal framework), as well as prohibiting unfair and deceptive trade practices and encouraging data security through breach notification laws (45 States now have breach notification laws).  US data protection is based on a two-tier federalist legislative system resulting in a myriad of overlapping, and at times conflicting, state and federal laws. Further complicating matters, government agencies and industry groups have developed guidelines that do not have the force of law, but are part of self-regulation and best practices initiatives.   

Historically, US data protection legislation has come about as a response to various political and social issues rather than being a comprehensive legislative regime. This contrasts with the European view of data privacy as a fundamental human right. In order to solidify this perspective, the EU made data protection a part of the Lisbon Treaty which came into force in 2009. Article 16 of that Treaty states that ‘everyone has the right to the protection of personal data concerning them’ thus virtually equating data protection with basic and human rights and qualifying it for comparable protection. In contrast, the USA has no explicit right to privacy in its Constitution, and its privacy laws are derived from various guarantees set forth in the Bill of Rights and the Fourteenth Amendment.  The USA and EU are somewhat polarised in this regard. Philosophical and constitutional guarantees underlying US law pretty much close the door to an overarching legislative initiative that would recognise data privacy as on the same level as a human right. At the same time, the EU is extending data privacy as a human right as part of a new global initiative. 

Specifically a programme was adopted at the 31st International Conference of Data Protection and Privacy Commissioners in Madrid in November 2009 (the Madrid Initiative), for an international privacy framework standard based on the Directive.  The conference participants voted to gather support for a UN Convention on privacy as a fundamental human right. A similar initiative is well underway within the International Standards Organisation (ISO). 

In a recent interview, Damon Greer (Director, US-EU & Swiss Safe Harbor Frameworks at the Department of Commerce) said that, while the EU has continued to reach out to countries around the world in a push for global data protection, there is little likelihood that the US will adopt a European style of legislation of Data Privacy. In response to the Madrid Initiative, Greer explained:

‘US concerns stem from the fact that the US and EU represent more than 50% of the world’s GDP and that a global framework imposed on nations, countries such as the US that do not subscribe to the European viewpoint, would serve to dampen innovative growth, new technologies and ideas that would propel the global economy. We need to keep the transatlantic bridge to economic activity open…We need to engage in a dialog that advocates for a reasonable approach to a complex set of issues that is as local as it is global.’

 

The Art of Compromise

The reality of doing business in a global economy is that data, including personal data, must be transported across geo-political boundaries despite philosophical differences. As a result, the USA and EEA have developed various techniques for reaching a compromise and structuring agreements regarding the transport and handling of personal data between the USA and EEA so that the two can ‘agree to disagree’. The USA and EU have agreed on three mechanisms for coping with the transport of personal data from the EEA to the US: the Safe Harbor, Binding Corporate Rules (BCRs) and Model Contractual Rules (MCRs). Each of these has continued to evolve since they were instituted and approved by the Commission in the early noughties. The Federal Trade Commission Act regulates these mechanisms and it applies to most companies and individuals doing business in the USA, other than transportation, telecommunications and financial/banking/insurance companies, which fall under the authority of their own federal regulatory agencies.  The Federal Trade Commission Act does not regulate personal data per se, but protects against unfair and deceptive trade practices that affect consumers’ personal information. 

Safe Harbor

The US and EEA devised the Safe Harbor scheme in 2000 (Switzerland joined the scheme with its own rules in December 2008). Under the scheme, US companies sign up to a self-regulated regime overseen by the US Department of Commerce and enforced by the Federal Trade Commission. Approximately 2,100[2] companies are on the Safe Harbor list, which has grown massively over the last few years. To be a part of the Safe Harbor scheme, companies must annually certify adherence to the Safe Harbor Privacy Principles (SHPP), a document which contains all of the basic tenets of the Directive, and each company must identify the company as a member of the Safe Harbor on its web sites, post the SHPP there, maintain a dispute resolution procedure for data subjects and display a privacy policy similar to those used in EU Member States.[3]  

The benefits of the Safe Harbor scheme include:

  • companies participating in the Safe Harbor are deemed ‘adequate,
  • all member states of the EU are bound by the European Commission’s finding of ‘adequacy’,
  • EEA Member State requirements for prior approval of data transfers are waived,
  • claims brought by European citizens against US companies are subject to US jurisdiction and courts.  

The Safe Harbor scheme was criticised by the Article 29 Working Party in its 2004 report.[4] The Report disapproved of the Federal Trade Commission’s enforcement efforts stating that the Federal Trade Commission was not sufficiently diligent in bringing non-compliant companies to task. Indeed, it has taken almost a decade for any Federal Trade Commission enforcement against Safe Harbor companies.

In September 2009 the FTC announced its first compliance action against six organisations in (FTC v Balls of Kryptonite, Civil Action No. 09-CV-5276 FTC File No.092 3081) for falsely claiming that they were members of the Safe Harbor regime, imposing fines and reporting requirements. The targeted companies either failed to maintain their annual certification while posting that they were certified or fraudulently advertised that they were associated with the Safe Harbor scheme on their web-sites. It is ironic that, while the Europeans were complaining about the adequacy of web site disclosure in their 2004 Report, the offending companies were using web disclosure to deceptively advertise their affiliation with the Safe Harbor scheme – as if it were the Good Housekeeping seal of approval.  Although these were the first enforcement actions since the Safe Harbor scheme took effect, you can anticipate further aggressive FTC enforcement in this area and increased scrutiny regarding compliance with the Safe Harbor scheme.

Another issue of growing concern to the EU Commission is the Safe Harbor scheme’s rules regarding ‘onward transfers’ of personal data, one of the most important, but murky, areas of the scheme. In today’s global economy, data is not typically transferred once, but many times and across many borders. Under the Safe Harbor scheme, onward transfer of Data from a US Safe Harbor company may only be to a ‘data controller’ and then only if the choice (opt-out) provisions and SHPP of the Safe Harbor are agreed to by the controller to whom the data is sent.  The Onward Transfer rules are not available to ‘data processors’, such as network providers or ISPs, acting only upon the direction of a data controller.

The meaning of ‘data controller’ and ‘data processor’ have recently been updated by the Article 29 Working Party in an attempt to clarify the distinctions between them, but this seems to have resulted in further confusion and blurring of these distinctions.[5]  Issues resulting from cloud computing and other technology may even make these distinctions obsolete. Digital networks and processing defy the existing legal frameworks of the EEA and USA which were based on (outdated) analog technology.  

The Commission and data protection authorities in some Member States believe that the obligations set by the Safe Harbor scheme will not (or are not) being observed by downstream data controllers and that many de facto onward transfers are being made to data processors (contrary to the Safe Harbor scheme), without sufficient agreement for adherence to the SHPP and choice provisions.

Essentially, the Commission is concerned that the rights of data subjects are being compromised.  The view of US companies is that onward transfer is an efficient way to manage personal data and creates synergies in cost and efficiency. The EU takes the position that onward transfer was included in the Safe Harbor scheme to aid handling of data sent to the USA under the scheme and was not intended as a mechanism for dissemination of data on a global basis, thus circumventing Articles 25 and 26 of the Directive.  The burgeoning use of onward transfer under the Safe Harbor scheme means that, in order to satisfy the Commission and Member States, companies will have to increase their efforts to file notifications of onward transfer with the data protection authorities of Member States, formulate consistent policies for reporting and record retention and meticulously document and maintain agreements with their onward data controllers. 

Several industries are excluded from the Safe Harbor scheme, including transport, telecommunications, and financial companies. These industries are regulated by various other US Federal agencies and governed by industry specific legislation, but to date, the EU does not recognise any US law as being ‘adequate’.  

Binding Corporate Rules and Model Contractual Clauses

If a company is excluded from the reach of the Safe Harbor scheme or if it is not the answer for an entity wishing to legally send personal data between the EEA and US, Binding Corporate Rules and Model Contractual Clauses may be the appropriate means of satisfying the ‘adequacy’ requirement. The EU has recently approved changes to each in keeping with modern business practices and governmental efficiency.

 

Binding Corporate Rules (BCRs)

BCRs are a bespoke set of specific inter-company rules incorporating the eight data protection principles governing the transfer and processing of personal data outside the EEA to countries without adequate protection. Data can be sent in a consistent manner between global affiliates of a large, complex corporate group without having to worry about borders or jurisdictional differences. BCRs alleviate the burden of having to enter into separate data transfer agreements between affiliates and filing them with various data protection authorities. BCRs are valid only for transfers of data between affiliates of the company but are not valid for transfers of data outside the EEA to non-affiliated companies or individuals. A key feature of BCRs is that it is the organisation and not the regulator that polices the operation of the policy. The BCRs and any subsequent amendments must be approved by the data protection authorities of each Member State.   

The BCR mechanism was approved by the Commission in 2003, but to date there has been little uptake. This is because of the expensive and onerous process of drafting the BCRs and obtaining approval on a country-by-country basis from each Member State affected by BCR data transfers, starting with the country where the company’s EU headquarters are located. General Electric was the first corporation to gain approval of its BCRs in 2005; Ebay, Accenture, Atmel and Hyatt Hotels have had BCRs approved by the Commission in 2009.  

However, in 2005, the Article 29 Working Party adopted a ‘mutual recognition policy’ to fast-track the BCR approval process.[6] Under this new scheme, a lead country or ‘lead authority’ for submission of the BCRs is selected by the corporation (instead of where the EU headquarters are located) and, upon approval, the lead authority coordinates the filing and approval process in each of the other Member States relevant to the BCRs. So far 17 of 27 Member States have agreed to the new Mutual Recognition Policy. Hyatt was the first company approved under the new procedure in September 2009.   

The Commission considers BCRs to be one of its top priorities and, to some, this demonstrates the willingness of some of the strictest Member States to recognise the need for flexibility and practicality in international data transfers. While BCRs may be right for some multinational companies with complex structures, they remain an expensive and complicated method of compliance for SMEs and various business models despite recent advances.  

 Model Contractual Clauses

The third means of data transfer outside the EU is Model Clauses. In practice, the use of Model Clauses is the simplest and most practical way for an EU data controller to ensure compliance with the provisions of Article 25 of the Directive in respect of any transfer to a non-EEA data processor. Article 26(4) of the Directive states that ‘the Commission may issue decisions containing standard contractual clauses for the transfer of personal data to countries outside the EEA’.  The Model Clauses are non-negotiable, since they are intended to ensure compliance by the data importer located outside the EEA with the fundamental principles of EU data protection law.  

The Commission adopted a Decision in December 2001 on standard contractual clauses for the transfer of personal data to third countries under Article 26(4) of the Directive (the 2002 Decision).[7] On 15 May 2010, the Commission’s new decision (2010 Decision) for transfer of data by EU data controllers to data processors outside the EEA took effect.[8] The 2010 Decision recognises the reality of the globalisation of outsourced data processing and cloud computing and provides new clauses for the onward transfer of data by the importing data processor to ‘sub-processors’.   

There is no longer a requirement that the EU data controller enter into a data transfer agreement with a sub-processor, thus reducing the complexity of current cross-border outsourcing transactions.  However, the data importer must obtain the consent of the EU data controller before it can enter into an agreement to send personal data to a sub-processor.  

The processor and sub-processor must enter into a contract to process and handle the data in accordance with EU data protection law and assure that the technical and security requirements of the country of final destination are the same as those required by the EU. Agreements between the processor and sub-processors must include a provision that the agreement will be governed by the country of the EU data exporter.   

The Model Clauses assume that an EU data controller will be liable, in the first instance, for any damage suffered by EU data subjects as a result of any violation of the provisions of the Model Clauses by either the data controller or the data importer and would impose liability upon data importers only when the EU data controller has disappeared, ceased to exist in law or become insolvent.  Importantly, the 2010 Decision grants EU data subjects a new third-party beneficiary right against the EU data controller and, in some instances, against the data importer located outside the EEA if it fails to enforce certain provisions of the Model Clauses. 

What’s on the Minds of the US and the EU?

The Article 29 Working Party announced its objectives for 2010-11[9] which were based on four themes: (1) ensuring correct implementation and development of the Directive and assessing the consequences of the Lisbon Treaty; (2) addressing globalisation (BCR, ISO standards, Madrid Declaration and OECD Guidelines); (3) meeting technological challenges (cloud computing and behavioural advertising); and (4) boosting the powers of the data protection authorities in Member States.  

At the annual meeting of US and EEA regulators in Washington DC in November 2009, the Federal Trade Commission and the Department of Commerce met with the European Commission and the Article 29 Working Party to review the progress of the Safe Harbor scheme and discuss the latest developments in compliance, data protection and global data protection issues. The agenda covered a wide range of topics including the new changes to BCR and Model Contractual Clauses, new paradigms for privacy compliance and the role of information security in data protection. Technology topics included the impact of cloud computing on current data protection regulation, data security, social networking and service providers, behavioural advertising and electronic discovery in civil litigation. One of the most debated issues of the meeting was whether regulatory frameworks built during the mainframe era need retooling in light of technological advancement.   

Conclusion

The US and EU are oceans apart in their fundamental ideology on data protection, but the fact that so much of the world’s business depends on these geopolitical entities means that they will have to embrace technological change and continue to work together. Neither the US nor the EU can ignore the fact that we live in a global technological and economic world. 

Susan Mann is a Partner at Wedlake Bell: smann@wedlakebell.com.



[1] EEA Countries as of 2010 are: Cyprus, Czech Republic, Estonia, Greece, Hungary, Ireland, Latvia, Lithuania, Malta, the Netherlands, Poland, Slovak Republic, Slovenia, Sweden, the UK, Austria, France, Italy, Luxembourg, Portugal, Spain, Belgium, Denmark, Germany, Finland, Rumania and Bulgaria as well as Liechtenstein, Norway and Iceland.  Non-EEA countries deemed to be Adequate are: Argentina, Australia, Canada, Jersey, Guernsey, Isle of Man, Faroe Islands and Switzerland.

[2] 2125 Safe Harbor List Companies as of 24 April 2010 (US Department of Commerce)

[3] 27 EU Member States: Austria , Bulgaria, Belgium, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Ireland, Italy, Hungary, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, United Kingdom.

[4] http://ec.europa.eu/justice_home/fsj/privacy/docs/adequacy/sec-2004-1323_en.pdf

[5] 16 February 2010 Article 29 Working Party opinion on the concepts of ‘controller’ and ‘processor’.

[6] http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2005/wp107_en.pdf

[7] Decision 2002/16/EC; (OJ 2002 L6/52)

[8] Decision 2010/87/EU

[9] http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2005/wp170_en.pdf