Setback for EU-US Privacy Shield – How to Safely Get HR Data Across the Pond

After the Court of Justice of the European Union declared the EU-U.S. Safe Harbor Framework invalid in October 2015, multinational companies with employees in the EU are facing the question how to legally transfer personal data. Current developments in the process of the proposed EU-U.S. Privacy Shield result in further uncertainty for companies relying on transatlantic data flows.

The EU-US Privacy Shield which is meant to regulate the transfer of personal data from Europe to the United States as a replacement to the Safe Harbor Framework was recently called into question by the Article 29 Working Party, an influential committee of the EU privacy regulators.

The Working Party is of the opinion that the current draft of the Privacy Shield will not provide adequate protection for personal data transferred to the US. It has expressed concern about commercial aspects as well as access by public authorities to data transferred under the Privacy Shield.

Orrick’s European IP/IT & Data Privacy Practice Group recently published a Blog post about the main issues raised by the Working Party and possible consequences which can be found here.

For companies dependent on data flows between the EU and the U.S. it is of crucial importance to make sure they are legally performing their activities. Therefore, they need to consider the most appropriate alternative solution for transatlantic data transfers. This includes the transfer of employee-related data.

  • One option is to implement Model Clauses as part of standard terms and conditions with customers. There are EU Model Clause Contracts available; i. e. a set of EU approved clauses for data transfers.
  • Furthermore, companies have the possibility to establish intra-group agreements or binding corporate rules. The advantage of such corporate rules which are approved by EU data protection authorities is that it is not required to enter into a new contract for each new data transfer.
  • With regard to employee data to be transferred, an explicit consent by the employee can be a solution.

However, the appropriate solution depends on the nature of the respective business. For more detailed information on alternative solutions for transatlantic data transfers please confer the respective Blog post by Orrick’s global Cybersecurity & Data Privacy team.