Global expansion and the distributed nature of a company’s information add new complexity to the effective management of a company’s information assets and its ability to meet regulatory requirements in a global network. The so called big data problem is not new. What is new is that where this big data lives is no longer an easy question as you embark on global discovery and that regulatory efforts require you to amass information from custodians and information stores around the globe.
In an effort to contain costs and increase accessibility to critical company data, outsourcing, managed services and cloud storage are commonplace for everything from email to customer relations management and document creation systems. While these tools can manage a company’s information assets in a cost-effective manner, the distributed relationships pose a particular legal challenge for those trying to gather all that information for a litigation or investigation. Knowing exactly where certain data is being stored may be the key to whether it can be collected, govern how it is collected and the circumstances under which it can be transferred. This is of particular importance in the EU, where you could inadvertently run afoul of privacy regulations.
The 1995 European Union Data Protection Directive regulates how and when personal data may be collected, the requirements around the processing of personal data, and the safeguards that must be in place to afford that personal data has “adequate protection.” The directive requires that if personal data is to be transferred, the receiving country must afford an adequate level of protection to that data. EU countries, and some enumerated others, are deemed to afford adequate protection to personal data, but other countries, such as the United States and China, are specifically deemed to not afford adequate protection.
The General Data Protection Regulation (GDPR) was recently approved by the European Commission, Parliament and Council, and it will replace the Directive as the governing regulation for privacy protection. With its more expansive reach and stringent penalties for violations, the GDPR will have even more impact on the ways global companies do business in the EU. Violators can be fined up to 4 percent of global revenue for violating the GDPR.
The Invalidation of Safe Harbor
In the past, many U.S. companies doing business in the EU that needed to move employees’ personal data around the globe relied on self-certification, pursuant to the U.S. Department of Commerce’s Safe Harbor framework. The self-certification was an acknowledgement by the company that adequate levels of protection would be afforded to all personal data of EU citizens that was onward transferred to the U.S. Two other vehicles that could be used to demonstrate adequate protection were binding corporate rules (BCRs) and model contract clauses.
The landscape changed in 2015 when the European Court of Justice (ECJ) invalidated the Safe Harbor framework as inadequate to afford personal data the level of protection required by the directive. In the Schrems decision (Schrems v. Data Protection Commissioner [Case C-362/14]), the ECJ declared that the Safe Harbor framework was fundamentally flawed because of its reliance on self-certification, the lack of appropriate policing and the “Snowden effect.” The court reasoned that even if the framework could be salvaged, the U.S. surveillance efforts by the NSA constituted a disproportionate interference with an EU citizen’s right to privacy. As a result, companies were forced to put BCRs or model contract clauses in place, both of which were major undertakings for any company.1
The Privacy Shield
Where does that leave a global company operating in the EU that needs to transfer data outside the EU in order to comply with litigation or regulatory requirements? In the wake of the invalidation of Safe Harbor, the U.S. Department of Commerce, the FTC and the EU Commission have now negotiated the proposed EU-U.S. Privacy Shield. It would establish a tighter framework for cross-border transfers. The Privacy Shield would not rely solely on self-certification for compliance monitoring and would impose greater reporting requirements on the covered entity. The Privacy Shield is currently under review by the EU member states and awaits final approval by the full commission.2
While we await the outcome of the proposed Privacy Shield, if you will be doing business in the EU, there are some things you can do to prepare for compliance with the GDPR:
Data map: Engage in a data-mapping exercise so you understand where the EU personal data will live within your organization. Whether in your data center, with a third party in an outsourcing model, in a managed services environment or in the cloud, the privacy rules still apply. Your responsibility is not delegable.
Define business needs: Understand what kind of cross-border transfers of personal data are likely to be routinely needed to advance legitimate business goals. If you expect a regular volume of transfers will be required, consider adopting BCRs.
Assess data security: As you would with your own infrastructure, ensure that any third party or cloud provider meets industry standard security protocols, and contractually require that enumerated data security requirements are met.
Anticipate a breach: Establish documented policies and procedures for data breach incidents and contractually require any third party or cloud provider to adhere to them.
Make compliant transfers: If you are required to transfer personal data for a valid business reason, ensure that current requirements for cross-border transfer are met.
For practical in-house approaches, please consult The Sedona Conference “Practical In-House Approaches for Cross-Border Discovery & Data Protection.”3
1 The GDPR expressly recognizes BCRs, raising the expectation that they will rise in popularity for intra-company transfers.
2 The Article 29 Working Party recently issued their opinion on the Privacy Shield. While acknowledging that it made some progress toward protecting the rights of EU citizens, it opined that it did not go far enough and recommended more work be done.