It has been a year since the Safe Harbor framework was invalidated by the European Court of Justice. That framework allowed U.S. companies that registered with the Federal Trade Commission to legitimately transfer data from EU member countries to the U.S. At the time the Safe Harbor was invalidated, about 4,000 U.S. companies were registered under the program. Each of these found themselves scrambling to find alternative ways to legitimatize the transfers that have become a routine part of daily operations at global corporations. The Safe Harbor framework was eventually replaced by the Privacy Shield framework, approved by a vote of the EU’s Article 31 Committee on July 8, 2016. Since this time many of the companies that had relied on the Safe Harbor framework have begun to reregister under the new program. Others have sought to utilize one of the several other mechanisms approved by EU lawmakers to legitimately transfer data to the US, such as Standard Contractual Clauses and Binding Corporate Rules.
The future of each of these transfer mechanisms still remains a bit uncertain, however. Max Schrems, the Austrian law graduate and privacy advocate whose challenge to the Safe Harbor resulted in its invalidation last year, has vowed to also challenge the legality of the Privacy Shield. He has filed a complaint with Ireland’s data protection commissioner challenging Facebook’s use of Standard Contractual Clauses in moving its data between Ireland and the U.S. A provisional view of the case by the commissioner found Schrems’ complaint to be “well founded.” Accordingly, the commissioner has asked the High Court in Ireland to issue a determination on the validity of model clauses. The High Court has agreed to consider whether to refer the question to the Court of Justice of the European Union and has set a date of February 7, 2017, for the beginning of hearings on whether it should do so.
Given these uncertainties, companies that transfer regulated data across EU borders need to fully understand this data and what mechanisms are being relied upon to legitimize the transfers. When the Safe Harbor program was invalidated, many companies found themselves in the precarious position of not fully understanding what data was being transferred to various vendors, processors and business partners under that framework and what data was being transferred by other mechanisms. This left them unsure of which transfers were still legitimate and which would potentially violate the law once the short moratorium offered by the EU regulators lapsed.
Conducting an audit of physical data transfers is the first logical step to avert these types of issues. In addition to cataloging any cross-border transfers of personally identifiable information (PII), the audit should also clearly identify and validate the mechanisms relied upon for each transfer. Second, companies should ensure that each mechanism relied upon is in line with other potential contractual or regulatory obligations. As such, the review of these obligations should be part of the audit process too. For example, an audit may show that the scope of the company’s Privacy Shield certification is limited to internal PII relating to employees, yet certain contracts with clients or customers may incorporate the certification based on a misunderstanding that it also extends to data being processed on their behalf. This is a compliance gap that should clearly be closed. Correlating the physical data transfers, the transfer mechanisms relied upon, and the company’s other contractual and legal obligations relating to the PII it collects, stores, processes, manages and transfers across borders not only helps the company close these compliance gaps, it also positions it to respond in a timely and cost-efficient manner should any one or several of the current transfer mechanism be invalidated in the near future. After all, the last response that anybody wants to have to provide when asked about a transfer mechanism by a board member or a regulator is “we are not sure.”