The striking down of the Privacy Shield by the Court of Justice of the European Union (CJEU) last week may have significant consequences for UK and EU employers which are headquartered in the US or which otherwise transfer the personal data of their employees to that country.
Brief history – the original EU Data Protection Directive imposed strict limits and conditions on the transfer of the personal data of EU citizens outside the bloc to jurisdictions where the protection of that data was perceived to be of a lower priority than in the EU. That included the US.
In response, the US and EU developed jointly the Safe Harbor concept – a set of rules which, if agreed to by the relevant US transferee, were deemed to provide equivalent protection to the EU laws. Safe Harbor ran undisturbed until October 2015 when the CJEU ruled it invalid due to concerns that the US Government and Security Services could access that personal data irrespective of the Safe Harbor principles.
Privacy Shield took its place. However, now that too has been torpedoed by the CJEU on broadly similar grounds.
Meaning what for employers?
If you transfer the personal data of any EU or UK employee or contractor to the US, whether to a parent company, a benefit provider or any form of staff management or records platform, then you will need to look quickly at which mechanism you rely on to make that transfer legitimate. If you were reliant solely on the Privacy Shield, then you now need an alternative.
Provided that you act swiftly, the solution is a reasonably simply one. You need to ensure that the processing of data already in the US and the future transfer of personal data to that jurisdiction are both covered by an alternative mechanism which does provide the appropriate safeguards. Many older employment contracts still refer to the employee agreeing that his data may be transferred outside the EU but relying on that term or obtaining anew the consent of the employee is not a way round this — that consent would be tripped up by the general principle that employee consent won’t be deemed freely given for GDPR purposes. On the other hand, the EU model clauses (aka ‘standard contractual clauses’ or ‘SCCs’) do represent a valid option. That means drawing up and completing either wholly new contracts or formal variations to existing terms with the US data transferee, by which the existing written arrangements around the processing of that data are replaced or supplemented as the case may be with the new terms incorporating the model clauses.
Where it is a question of data transfers within a corporate group, that should hopefully be a formality. The SCCs do not impose any obligations which make legitimate usage or storage of that data in the US impracticable. Therefore there should be little objective basis for resistance to them. Where your data is transferred to a third party in the US, any refusal by that entity to incorporate the SCCs into its arrangements with you is likely to lead you to have to terminate your contract with it – after all, continuing without those provisions may now be unlawful. Therefore you need to get hold of a copy of your contract with that supplier and understand the termination provisions. It may or may not provide for these circumstances but in any case you will need to tell it formally now what you need and why, and then give it a realistic deadline by which to agree that those terms are agreed. Again, there is little likelihood that the SCCs would stop any legitimate usage by the US entity of that data but there may still be a period of adjustment required. The judgment is essentially effective immediately but so long as the employer makes a fast start on addressing this issue with the US third party, it is unlikely to fall foul of the ICO in the interim.