Companies that transmit data from Europe to the US have become vulnerable to unexpected financial costs from EU members. Brexit may be the most visible headline from the EU but a lesser-known threat poses more of a compliance concern. We reported last Fall about the potential fallout expected after the EU’s decision in the Schrems case invalidating the Safe Harbor Agreement and what US companies could expect were they not to change course before the EU’s January 2016 deadline. [i] Specifically, our concern was that an individual EU member State could impose its own rules and fine companies in the absence of a common plan subjecting US companies to potentially 28 different sets of privacy rules. Germany has now fired the first shot in this new privacy skirmish.
Germany’s Hamburg Data Commissioner has fined three companies for continuing to rely on the Safe Harbor rules and failing to make appropriate changes to the manner in which data is transferred to the US.[ii] While not immediately identified, The Hill confirmed that Adobe, a PepsiCo subsidiary, and Unilever were each fined.[iii] Although the original fines were reduced, Germany warned the industry that for “future infringements, stricter measures have to be applied.” Germany is presently investigating 35 other US companies for potential fines.[iv] Some commentators have described Germany’s actions as “going rogue” during a period of great uncertainty.[v]
Further, Ireland’s data commissioner has referred a question to the European Court of Justice questioning whether the standard manner for post–Schrems’ compliance, namely “contractual clauses” was a legitimate work around.[vi] It is expected that these salvos from individual EU members will multiply and intensify until a solution is negotiated. It is worth noting that the first proposal by the US known as the EU/US Privacy Shield was roundly rejected when first proposed.
As the US adheres to a defensive posture that equates its data privacy rules with EU members’ rules, a consensus is unlikely as many EU members are suspect of US governmental authorities that have more reach into private data than their EU counterparts. This intransigence by US negotiators may cost US companies as fines and penalties increase. As the Data Protection Report article suggests, this dispute may likely land at the World Trade Organization’s doorstep.
While the timing and ultimate resolution of an EU/US or WTO decision is unknown, it is certain that absent some type of new safe harbor, US companies will continue to be exposed to myriad penalties from multiple jurisdictions concurrently.
So, companies looking to minimize their exposure need to develop interim plans. The following are questions that should factor into those plans.
- Does my organization house data for EU users on EU-based servers? If not, have my users been notified that their data is housed on US-based servers?
- Do I know what data my organization houses “offshore”? This includes email server databases, SharePoint servers, and file servers.
- How is my Cloud infrastructure configured? Do I have a US and an EU Cloud? Does my organization have policies in place that define which user data is stored in which Cloud geographic location?
- Do I have email hosted by Microsoft Office 365? Where is that data physically located?
- Do I know where and how corporate email is archived? Is it in one location (US or EU) or is it distributed (multiple archives in different geographic locations)? Do I have policies in place that control the access of my EU-based archives by US-based humans or applications?
As the industry leader in email archive migrations, Archive360 has extensive experience in assisting corporations with migrating custodial data (both active and archived) to new locations, in compliance with EU privacy laws. For more information: www.archive360.com or firstname.lastname@example.org.
[iii] The Hill; http://thehill.com/policy/cybersecurity/282453-germany-privacy-regulator-fines-adobe-others-over-defunct-data-transfer
[iv] See, Orrick Report by Ratzke, Schroder and Castic; http://blogs.orrick.com/trustanchor/2016/05/11/data-transfers-in-limbo-u-s-companies-face-fines-by-german-data-protection-authorities/
[v] Data Protection Report-Segalis, Ritzer and Hoffman; http://www.dataprotectionreport.com/2016/06/hamburg-dpa-fines-three-companies-for-continued-reliance-on-safe-harbor/.
[vi] Contractual clauses typically require the individual to “sign off” on a transfer of his/her data to US servers which is often impractical and, under the challenged Irish case, believed to be inadequate. Similar US law on “click thru” agreements may support this challenge.