Anomalous Aspects of Transfer of Personal Data from the E.U. to the U.S.

1
Anomalous Aspects of Transfer of Personal Data
from the E.U. to the U.S.

• Stephen R. BellWillkie Farr Gallagher
• ABA Section of International LawNew York, New
  YorkApril 7, 2006

2
Introduction

• Examine the mechanisms by which personal data
  (personally identifiable) can be transmitted from
  member states of the E.U. to a third country.
• A determination that the third country has
  adequate safeguard (including U.S. Safe Harbor).
• An ad hoc or standard agreement between the data
  controller and the party in the third country.
• Binding Corporate Rules.
• Consent of the data subject.
• Master Agreement.

3
Introduction (contd)

• Discuss some indicators on how frequently the
  formal mechanisms are being employed to transfer
  personal data.

4
E.U. Data Protection Principles

• E.U. and member states have created most
  elaborate mechanism for protection of Personal
  Data.
• Directive 95/46/EC of 25 October 1995 On the
  protection of individuals regarding processing or
  transfer of personal data.
• Directive 2002/58/EC of 12 July 2002 On
  processing of personal data and protection of
  electronic communication.
• Regulation (EC) 45/2001 of 18 December 2000 On
  the processing of personal data by Community
  Institutions.
• Directive 2006/__/EC On retention of data
  generated in the provision of electronic
  communications.

5
E.U. Data Protection Principles (contd)

• The 25 member states adopted laws implementing
  the Directive.
• Process took a long time.
• France 2004
• Ireland still has not notified the adoption.
• Laws vary widely.
• Not wholly consistent with the primary Directive.
• Not wholly consistent with each other.

6
E.U. Data Protection Principles (contd)

• Difference between member states.
• Definition of collection
• Jurisdiction over foreign-based websites
• Definition of personal data
• Obligation to notify data protection authorities
  when collection and processing occurs
• Attitudes toward trans-border data flow contracts

7
E.U. Data Protection Principles (contd)

• Goal
• Harmonize members laws and provide a high level
  of protection to accommodate the increased
  cross-border data flow.
• Member state laws reflect a high level of
  protection of personal data.
• Transborder data flow from the EEA (E.U. and
  Norway, Liechtenstein, and Iceland) is
  problematic.

8
E.U. Data Protection Principles (contd)

• Articles 25 and 26 of Directive 95/46/EC
  prescribe the conditions under which personal
  data may be transferred to third countries.
• Article 25(1) requires an E.U. Commission finding
  that the level of data protection in the third
  countries is adequate.
• Argentina
• Canada
• Guernsey
• Isle of Man
• Switzerland
• U.S. (Safe Harbor participant)
• U.S. (Air Passenger name record)

9
Safe Harbor (www.export.gov/safeharbor/)

• Became effective October 1998 after lengthy and
  sometimes ambiguous negotiations between the E.U.
  and DOC.
• U.S. entities register with DOC.
• U.S. entities establish a privacy policy and Safe
  Harbor procedure similar to but not precisely the
  same as the E.U. principles.
• Notice of purpose of collection
• Choice of disclosure to third parties
• Onward transfer limitation
• Reasonable security precautions
• Data integrity
• Access
• Recourse mechanisms

10
Safe Harbor (www.export.gov/safeharbor/) (contd)

• Advantages
• All E.U. members must allow transfer pursuant to
  Safe Harbor.
• With limited exceptions, interpretation is based
  on U.S. law.
• Certain exceptions, such as the U.S.-oriented
  journalistic exceptions apply.
• Self-assessment or verification of compliance is
  available.
• FTC enforcement only after self-regulation.
• Extremely simple to join.
• Limitations
• Applies to organizations subject to the FTC or
  air carriers subject to DOT.
• Only legitimizes transfer, any required consent
  to collect must still be obtained.

11
Alternatives (Derogations)

• Article 26 provides alternative.
• 26(1) Transfer can occur with the unambiguous
  consent of the data subject, to fulfill
  a contract or when it is necessary for
  other important public policies.
• Working Party 29 (WP 114, 25 November 2005) and a
  number of data protection authorities question
  whether consent can be unambiguous, particularly
  in employee/employer setting or when there is
  long-term framework for repeated transfer of
  data.
• 26(2) Authorized transfer if adequate protection
  is provided through contractual provision.
• Ad hoc
• Standard claims

12
Alternatives (Derogations) (contd)

• Two Commission Decisions adopted standardized
  clauses.
• Decision 2001/497/EC applies to transfer from a
  data controller in the EC to a data controller in
  third countries.
• Decision 2002/16/EC applies to transfer from a
  data controller in the EC to data processors in
  third countries.
• Original Standard Clauses.
• Incorporate principles similar to the Privacy
  Directive.
• Specify the relevant E.U. member laws on
  governing.
• Ad hoc contracts require approval of relevant
  data protection authority.

13
Alternatives (Derogations) (contd)

• Almost as soon as the standard clauses were
  adopted, the Commission realized that they were
  not going to work.
• Decision C (2004) 5271 was adopted.
• Alternative is slightly less onerous provision.
• Effective April 1, 2005.

14
Alternatives (Derogations) (contd)

• Binding Corporate Rules.
• A number of business organizations lobbied for
  adoption of approval to transfer on the basis of
  Binding Corporate Rules (internal).
• Article 29 Working Party adopted Initial Binding
  Rules in 2003 and a checklist for such rules of
  14 April 2005.
• Approval of the binding corporate rules by a
  member states data protection authority is
  required.
• Member states do not have to approve Binding
  Corporate Rules.

15
Alternatives (Derogations) (contd)

• Master Agreement
• Business groups like the International Chamber of
  Commerce continued to lobby for simplification
  and expedition.
• Commission Staff Document SEC (2006) 95 discussed
  this option, but the discussion contained some of
  the caveats that appeared in the early discussion
  of Binding Corporate Rules.

16
Anomaly

• Staff Document SEC (2006) 95 tallied contractual
  clauses or Binding Corporate Rule notified to the
  Commission.
• 14 ad hoc contractual clauses or Binding
  Corporate Rules have been notified to the
  Commission.
• 64 standard contractual clauses have been
  notified.
• Mostly H.R. to U.S.
• These agreements do not have to be notified.
• Safe Harbor
• 884 Organization on the Safe Harbor List (24 Feb
  2006).
• Some small percentages are not current.

17
CONCLUSION

• Elaborate formal proceedings are not being
  implemented to comply with the limits on
  transmission.
• Consent (26.1) or standard contractual (26.2)
  clauses may be used to justify transfer.
• A number of entities that transfer data from the
  E.U. may simply be ignoring the issue.