Annually my law firm publishes a checklist of legal issues we believe will be relevant in 2017.  To view the list click here.

In no particular order of importance this year’s list includes the following, with brief write-ups by AGG lawyers:

  1. Wage and Hour
  2. Non-GAAP Financial Measures
  3. Ban the Box
  4. EU-U.S. Privacy Shield
  5. Immigration Compliance – Form I-9 and E-Verify
  6. Robust Compliance Programs
  7. Blockchain and Digital Transactions
  8. Cyber Security and M&A Transactions
  9. Online Advertising Practices
  10. Wellness Programs
  11. Tax Reform
  12. The Consumer Financial Protection Bureau
  13. E-Discovery and Defense Costs

Human Resources professionals have one more item to add to their compliance checklist – ensuring the lawful transfer of employee, consumer or customer personal data from the European Union (“EU”) to the United States. 

To unravel this compliance requirement let’s start with a hypothetical transfer of personal data from location A to location B for employment purposes.  Company based in Providence, Rhode Island has offices worldwide, including several in the EU.  Hiring is centralized in the United States and therefore all onboarding is conducted by Human Resources professionals in Providence.  As per company policy, the company sends all new hires an employee packet and several of the forms in the packet require the collection of personal data or information.  Personal data such as name, date of birth, address, email address, etc. For its new hires in the EU, they are asked to send the employee packet back to Providence electronically so that the information can be processed for employee benefits, payroll, and a background investigation.  Therefore, personal data is being transferred to the United States for processing.   The question is, is this legal?  Does the company in Providence, Rhode Island need to do anything from a compliance perspective?  The response to the first question is, maybe if the company has a permissible cross-border transfer mechanism in place.  The second response is, yes.  Bottom line is that any U.S. based company which operates globally has to factor in international privacy and data protection laws before transferring employee personal data from outside the United States to the United States.  

Here’s why.  In the EU it is generally prohibited to collect, use, transfer, disclose or otherwise process an individual’s personal data without justification.  In case you are wondering, what’s the European Union?  The EU is made up of 28 member countries in Europe.  It includes countries such as Austria, Belgium, France, Germany, Greece, Ireland, Italy, Spain and the United Kingdom (until they depart due to Brexit).  For a full list of member countries, click here.  

What do American companies need to do?  First, if you have offices, operations or otherwise transfer someone’s personal data from the EU to the United States you need to know that. We privacy professionals call that, mapping the data flows.  In other words, are your employees, customers, consumers sending you personal data from the EU to the United States, what data and for what purpose. 

Why should American companies care?  Because in the EU they are serious about privacy and data protection.  The Europeans would argue that they are far more serious and protective of their citizen’s privacy than the Americans.  They can and will bring enforcement actions against companies that transfer personal data outside the EU without having a permissible onward transfer mechanism.  See the most recent action by German data protection authorities by clicking here.

What’s a permissible onward transfer mechanism?  In the EU, there is a general legal framework under which companies operate which is the EU Directive 95/46/EC (“EU Directive”) and it describes how organizations can lawfully “process” personal data, meaning how they can collect, use, transfer, share, store, etc. personal data.   Generally speaking—and please note that I’m focusing only on cross-border transfers of personal data in this article—an organization cannot transfer an individual’s personal data from the EU to the United States without a lawful mechanism.   That’s right, you can’t just transfer personal data without having a plan in place.  Also, not to throw in a monkey wrench, but the EU Directive will be replaced by the General Data Protection Regulation (“GDPR”)  effective 2018, which will have stricter requirements on U.S. companies with operations in the EU, including requirements related to data breaches.

What options do American companies have to lawfully transfer personal data to the United States?  A few, actually.  One is by self-certifying with the Department of Commerce’s EU-U.S. Privacy Shield program,  instituting model contract clauses or binding corporate rules, or meeting one of the other derogations described in Article 26 of the EU Directive, such as consent of the data subject to the cross-border transfer.   There are pros and cons to each of these options and that is the subject of another discussion and greater legal analysis.  This article is intended as a primer to flag the issue of cross-border transfers of personal data from the EU to the United States and compliance considerations around such.   

If your organization transfers personal data from the EU to the United States and you would like to discuss what your legal requirements or obligations may be I am happy to have that conversation with you.  The privacy team at my firm, Arnall Golden Gregory LLP, advises companies on cross-border transfers of personal data and we would be happy to assist.

 

Please join me on a free webinar next week to learn helpful information on risk mitigation for your organization related to consumer and customer personal data, including must have policies and procedures around collection and use of personal data, the importance of privacy policies, preventing data breaches, steps to take if a data breach occurs, the impact of the EU – U.S. Privacy Shield on your organization, and more. The webinar is hosted by Hire Image and I will be the featured presenter (my bio).

Click here to register.

Date: November 9 (Wednesday) from 3:00 to 4:00 pm EST

Cost: Free

HR Certification Institute Credit: The webinar has been approved for 1 hour (general) recertification credit toward California, GPHR, HRBP, PHR and SPHR recertification with the HR Certification Institute.

It appears that the European Commission and U.S. Department of Commerce have reached a deal on a new transatlantic safe harbor data transfer agreement.

My colleague Kevin Coy listened in to a press conference on the new deal, held by European Union (EU) officials, and here is a preliminary overview of what we can expect.

First, “Safe Harbor” appears to be out as a name, and “EU/US Privacy Shield” is in.  Perhaps they had Captain Marvel on their minds.

Other points from the EU press conference:

  • EU Commissioners blessed the deal today, but the official EU approval process is still necessary.
  • The Justice Minister has advised the Chairwoman of the Article 29 working party of the agreement and will be briefing the Data Protection Authories (DPAs) tomorrow in person at their ongoing meeting in Brussels.
  • It will take a few weeks for the EU to prepare an adequacy opinion on the new deal and for the U.S. Department of Commerce to finalize things on the US side.
  • The EU Justice Commissioner estimates that it may take 3 months for the EU approval process to be completed.
  • There will be annual reviews of the new framework, beginning next year.
  • The US has made “binding” commitments about surveillance of EU citizens and an ombudsman is being established at the State Department to address national security complaints.
  • There will be several avenues for handling disputes about company processing of personal data, with a binding arbitration process as a mechanism of last resort to ensure that all complaints are resolved.
  • The Department of Commerce will have an enhanced role with respect to oversight and participating companies will be subject to regular reviews by Commerce.
  • There will be increased transparency in the new program.
  • Companies that fail to meet their obligations will face sanctions and can be removed from the program.
  • There are enhanced onward transfer restrictions on transfers from participating companies to other parties.

Stay tuned!

Join us tomorrow for DPRCRA Live: Privacy at MidYear to learn about the latest developments in the privacy field. Tomorrow’s webinar is another in a series of webinars hosted by my firm, Arnall Golden Gregory LLP, and the Privacy & Consumer Regulatory Practice Group.  This month we will review and discuss some of the biggest events that have occurred in the privacy field to date in 2014.  This webinar will cover the following major events and developments:

  • The FTC’s new Data Broker Report;
  • Wyndham and LabMD – the battle over the FTC’s authority;
  • Updates on data privacy in the European Union and the “right to be forgotten”;
  • EU Safe Harbor;
  • The FTC Spring Privacy Series, including discussions on: mobile device tracking and alternative scoring products;
  • Debt collection in light of the FTC’s settlement with Consumer Portfolio Services; and
  • An update on the past six months on Capitol Hill.

Join AGG Privacy attorneys Montserrat Miller, Joseph Rubin, Kevin Coy and Kelly Gordon Zemil for this one-hour, complimentary webinar. A live Q&A session will follow the discussion.

To Register please click this link.