SCL Event Report: International Data Transfers

December 5, 2014

This SCL event focused on International Data Transfers and was hosted by Hunton & Williams.  Anna Clayden, Senior Counsel at BP, chaired the event and began by introducing the speakers and setting out the agenda for the event.  The speakers were Anita Bapat, Associate at Hunton & Williams, who explained the general prohibition on transfers of personal data outside the EEA and the use of Model Clauses as a transfer mechanism; Susan Boynton, head of legal for EMEA at Disney, who discussed the US-EU Safe Harbor Programme, and Geraldine Dersley, head of legal at the ICO and Director responsible for BCR approvals, who discussed the use of Binding Corporate Rules (BCRs) as a transfer mechanism. 

Anita Bapat began by explaining the limitations of Model Clauses as a transfer mechanism.  In particular, the existing Model Clauses framework is often difficult to adapt to the complex data flows of global organisations, especially, for example, where data are stored in the cloud in multiple jurisdictions. Another challenge faced by many organisations is that there is unlikely to be just one processor; rather there will be chains of processors and sub-processors and the protection of personal data needs to be ensured down the chain.  Other difficulties also arise, for example with the use of non-EEA sub-processors, and in circumstances where there are no appropriate parties to the Model Clauses, for example where transfers are made between different branches of the same legal entity.

A variety of factors will influence the suitability of Model Clauses to a particular transfer, including the sensitivity and volume of data to be transferred, the jurisdictions and data flows in question, the transferring organisation’s risk appetite, and the time-frame and cost restraints for implementing a solution.

Anita continued to discuss the procedural requirements with implementing Model Clauses.  In many EU jurisdictions, the transferring data controller must notify or, in several jurisdictions seek the approval of the data protection authority prior to the transfer taking place.  Depending on the jurisdiction, this process may take anywhere between 1 and 12 months, and so will typically play a significant role in determining the data controller’s transfer strategy.

Model clauses cannot be amended and must be used in the form approved by the European Commission.  Data controllers may however supplement Model Clauses with bespoke commercial terms, so long as such terms do not dilute the protections provided by the Model Clauses.  Model clauses may be implemented in several ways, for instance as a ‘web’ of bilateral agreements between each of the exporting and importing entities.  Anita explained that this approach is often preferred by DPAs as there is a direct relationship between the parties, but can present a significant administrative burden to data controllers in putting in place and maintaining numerous contracts.  Alternatively, a Model Clauses master agreement can be prepared to which all relevant entities agree.  While this approach can provide flexibility, it is difficult to implement unless there is consistency in the data flows of the various contracted entities. 

Susan Boynton began by discussing the background to the US-EU Safe Harbor Programme.  It was initially developed by the US Department of Commerce and is enforced by the Federal Trade Commission (FTC).  The Safe Harbor Programme is typical of the US self-regulatory philosophy and as such is markedly different from EU privacy rules.  Organisations are required to self-certify that they follow the 7 privacy principles and 15 FAQs.  Susan explained that the Safe Harbor Programme can be as robust as other transfer mechanisms, but this depends more on the compliance culture of the organisation in question, rather than top-down regulatory pressure.

Susan continued to explain the self-certification process.  Organisations must be subject to FTC or Department of Transportation (DoT) jurisdiction in order to certify compliance with the Programme.  Organisations should begin by identifying relevant data flows.  Organisations also need to ensure privacy policies comply with the Safe Harbor Principles (the ‘Principles’), and make their policy publicly available.  Organisations must also put in place an independent recourse mechanism to address complaints from affected data subjects, and ensure a mechanism is in place to internally validate compliance.  Finally, organisations must designate a Safe Harbor contact person.  Once these steps are complete, organisations are in a position to file a self-certification form with the Department of Commerce.

Susan made it clear that, in practice, certification will involve a concerted effort between legal, IT and audit teams, and relevant business units.  Legal teams will be involved in preparing and filing the certification, advising as to compliance with the Principles, and preparing onward transfer agreements and notifying EU DPAs where necessary.  The IT team will primarily be focused on implementing reasonable security measures, as required by the Safe Harbor security Principle.  The business unit will usually be responsible for communication and validation of the scope of certification, managing remediation efforts and establishing internal compliance processes.  Finally, the audit function will often carry out compliance spot-checks, and is likely to be involved in the annual re-certification process.

Susan concluded by explaining some of the benefits and limitations of the Safe Harbor Programme.  Firstly, as the Safe Harbor Programme has been found to be an adequate transfer mechanism by the European Commission, it may be relied on in all EU Member States.  Prior DPA approval is typically not required.  On the other hand, the Safe Harbor Programme is limited to transfers to the US, and to organisations subject to FTC  or DoT jurisdiction.  The Safe Harbor Programme has recently received scrutiny from European DPAs, and there are some question marks over its future availability.  In the event it was suspended, data controllers would be required to implement new transfer mechanisms to remain in compliance with EU data protection law. 

Geraldine Dersley began by explaining that BCRs are an internal code of conduct that are binding amongst entities within a group of companies, and that provide enforceable rights to relevant data subjects.  Accordingly, BCRs are most suitable for global organisations with complex data flows.  Previously, BCRs were available for controller to controller transfers only but, since 1 January 2013, BCRs for Processors may be implemented to legitimise transfers to intra-group data processors.  The key advantage to BCRs is that, once in place, organisations have significant flexibility.  For example, organisations may easily add or remove new group entities from the BCRs, or change the data flows to which the BCRs apply.

Implementing BCRs can be a significant process in terms of time, cost and internal resource.  For example, organisations will need to understand the structure of the organisation and data flows and create a data flow map, determine the scope of the BCRs including the relevant entities and jurisdictions covered, implement a mechanism to make the BCRs binding on the relevant entities, determine the structure of the BCRs (for instance, will it include a BCR for Processors?) and conduct a gap analysis against the Article 29 Working Party BCR which provides checklists of requirements.  Further, organisations must implement several internal compliance mechanisms including a staff training programme, an audit programme, and the appointment of a network of privacy officers.  Given the significant hurdles to implementing a BCR, Geraldine recommended that the DPA is approached early in the process to avoid wasted time and resources.

Geraldine then discussed the BCR approval process.  Applicants are required to select a lead DPA.  This choice will typically be based on the organisation’s centre of processing in the EU, and will often be its EU headquarters location.  The selection will not be formalised however until the organisation’s BCR application form has been circulated by the chosen lead DPA to the other DPAs.  DPAs have 15 days from receipt to object to the appointment of the lead.

Once a lead DPA is appointed, it will review the proposed BCR application and provide comments.  This is an iterative process, and the lead DPA and applicant organisation are expected to undergo several rounds of discussion and revision until an application form is agreed.  Geraldine highlighted some of the pitfalls encountered at this stage, including unreasonable expectations around time and cost of implementation and approval, a lack of transparency with the lead DPA, and a lack of engagement from the applicant organisation (in particular a lack of senior management buy-in or approval).

There are currently two BCR approval processes.  Under the cooperation procedure, all EU DPAs will have the opportunity to review the application and provide comment, and this process can often be lengthy.  21 DPAs have however agreed to a mutual recognition procedure, pursuant to which an application that is approved by the lead DPA and two other DPAs will be mutually recognised by the remaining DPAs.  Once the BCR is approved by whichever method, the applicant will be required to seek further national authorisation for a transfer of data based on the BCR where required. 

James Henderson is an Associate at Hunton & Williams