Last time, we gave witness to the demise of the EU-US Privacy Shield program. I promised you I would explain who might be able to take advantage of one of the last grounds remaining to import personal data to the US from the EU. That remaining ground is that “the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject’s request,” allowed under Article 49 of the GDPR.
A Quick Refresher
A brief reminder of how we got where we are. Privacy is a fundamental right in Europe. The GDPR, passed in 2018, codified this right and forced companies who collect and process personal data to start respecting those fundamental rights on a new level. The European Union was concerned that these fundamental rights would not be protected to the same degree if the data was transferred outside the EU. So they set up a couple of different mechanisms to try to ensure the same level of respect for rights, regardless of where the data ended up. One of those ways was by designating a country has having “adequate” data protection laws. Only about a dozen countries in the world have been given an “Adequacy Decision,” and the U.S. isn’t one of them. (The Faroe Islands are, though).
Since the US does not have great national privacy laws, the US Department of Commerce and the EU negotiated to allow US companies to self-certify and get registered under the US-EU Privacy Shield. That way, data collectors and controllers in the EU could send data to those companies in the US without fear of getting in trouble with their own supervisory authorities. This worked fine for a couple years.
An EU lawsuit against Facebook about their data protection practices brought the whole thing crashing down. One of the questions that the European Court of Justice (kind of like the U.S. Supreme Court) had to answer was “can Privacy Shield adequately protect fundamental rights when the U.S. government can access information on any foreign national under Section 702 of the Foreign Intelligence Act?” (I’m paraphrasing here.”) The Court said no, and killed Privacy Shield. Poor thing was only four years and four days old.
So now we’re left with trying to find which of the other mechanisms for lawfully transferring personal data from an EU company to a US company are left for the thousands of US businesses that relied in Privacy Shield. And right now we’re looking at “necessity.”
Necessity of the Contract
The Article 29 Working Party has proffered guidelines on how to apply the test to determine when a transfer is “necessary” for the performance of a contract. One common example for Privacy Shield companies is that it processes information from an EU retailer or service provider for payment processing purposes. More broadly even, plenty of EU companies use US-based web hosting and CMS. Unfortunately, these are not the examples the Working Party chose to analyze. The example they offer instead for when the transfer is “necessary” is the following:
this derogation could be used as a legal ground for example for the transfer by travel agents of personal data concerning their individual clients to hotels or to other commercial partners that would be called upon in the organization of these clients’ stay abroad.
So if an EU person wants to stay in a US hotel, the hotel can have their information. That’s a relief, I suppose. Snark aside, it does appear that this example would similarly allow U.S. trademark lawyers to collect information on EU clients for the purpose of filing their U.S. trademark application, particularly since U.S. (and Canadian) lawyers are the only lawyers allowed to practice in front of the U.S. Patent & Trademark Office.
When the Processing Isn’t “Necessary”
But it’s not at all clear that this example applies to our US-based e-commerce and CMS platforms. View the following example from the Article 29 Working Party Guidelines for when this contractual necessity would NOT apply:
This derogation cannot be used for example when a corporate group has, for business purposes, centralized its payment and human resources management functions for all its staff in a third country as there is no direct and objective link between the performance of the employment contract and such transfer.
PFFFFFTTTTHHHHHH. So if there any multi-nationals who use a payroll processor whose offices are all in the US, they’re going to be looking for a new payroll processor pretty soon.
OK, so payroll in the US isn’t necessary enough for performance of the employment contract. A contract for the simple purchase of goods or services online might have a more direct link with the necessity for order processing (and certainly if the data subject themselves ordered the goods from a US retailer). But are order processing and payroll services really remarkably different? It’s not like there aren’t alternatives in countries lacking the FISA problems the US has. But “available alternatives” are not the test, so I digress. One difference between the employee payroll system and an e-commerce platform is that the e-commerce company is much more likely to be able to claim that the processing of any single data subjects’ information is “occasional,” which under Article 49 is the other requirement. But you’d have to have both “necessity and “occasionality,” and I’m not sure we can claim the first one.
Clauses + Contract = Solution?
So did I promise you last time that there was one ground left and then pull it out from under you? I don’t know yet. For now we’re going to cobble together Article 49 with what’s left of the Standard Contractual Clauses, and as Omer Tene of the International Association of Privacy Professionals put it today,
8. For former Privacy Shield companies the advice is sign SCCs, do a TIA (transfer impact analysis), get an opinion stating the laws of [FILL IN COUNTRY NAME] don’t prevent the importer from complying, encrypt data in transit (if you haven’t prior), carry on and hope for best.
— Omer Tene (@omertene) July 24, 2020