Data, as anyone doing privacy on a global scale will tell you, knows no boundaries. It can be collected in country A, routed through countries B, C, and D, and come to rest on servers in country E. Those servers are likely then maintained by a third party in country F, with subcontracted support from another third party provider in country G.
All that is well and good, but what do you do when country A happens to be within Europe, and any one or more of countries B through G are outside of Europe? Europe’s aging Data Protection Directive tells you that if any of that data is personal in nature, then its transfer outside of the Europe is forbidden. Forbidden, that is, unless you have an “adequate" data export solution in place.
So the good news is that you can export data internationally if you have an “adequate” solution in place, and the even better news is that there’s not one solution but three! Phew! Your choices are either:
- sign up to the US-EU Safe Harbor Framework - a voluntary privacy framework for US-based importers of data,
- execute so-called EU Model Clauses - also known as Standard Contractual Clauses) - standard form, non-negotiable data export agreements approved by the European Commission, or
- implement Binding Corporate Rules - a binding organizational data governance policy framework reviewed and approved by European data protection authorities.
So far, so good. But then comes the problem: each of these solutions suffers from some serious drawbacks that either makes it commercially infeasible (Model Clauses), mistrusted by European customers and regulators (Safe Harbor), or subject to a lengthy regulatory approval process that puts off well-intentioned businesses that would otherwise be willing to adopt it (BCR).
A perilous future for Safe Harbor?
To illustrate the issue, today roughly 4,000 US businesses rely on Safe Harbor to import personal data from Europe. However, following the Snowden revelations, European legislators and regulators are increasingly reluctant to recognize the validity of Safe Harbor - believing that it no longer (or perhaps, never) provides “adequate" protection for data and, as such, should be suspended or revoked. See here
, for example.
Indeed, one case currently before the European Court of Justice, may well decide Safe Harbor’s fate once and for all. In Schrems v the Irish Data Protection Commissioner
(Case C-362/14), one of the points the Court has to consider is whether Safe Harbor does in fact provide “adequate" protection for European data exports; if it decides the answer is no, then Safe Harbor could well be over.
But, frankly, whether or not that happens is largely an academic point. Many US importers already find EU customers will refuse to contract with them if they rely on Safe Harbor. And, even if it survives this court case, the European Commission has been threatening for some time to suspend Safe Harbor. With this level of ongoing uncertainty, it’s inevitable that businesses are looking to other options available to them
The problem with Model Clauses
In nearly all cases, they next turn to Model Clauses as the solution to their data export woes. On one level, doing so makes a lot of sense: Model Clauses are the darling of the regulatory community (after all, they created them), contain robust data protection terms, and so are often considered a ‘guaranteed compliant’ solution for the customers that use them.
The reality, though, is something different. Model Clauses neither provide the protection for data that customers and regulators think they do, nor are they actually complied with in practice - more often than not, they’re signed, put in a drawer and forgotten about. For data importing vendors, they are also woefully impractical - containing subcontracting controls that are unrealistic, excessive audit rights, and no liability limitations. And, to add to all this, where lengthy international subcontracting chains are involved, exporters and importers will often be looking an an extremely complicated web of Model Clause contracts to prepare and sign.
Taking that all into account, what right-minded person would really want to entrust any transfer of data to something so complicated and unworkable in practice?
Which leaves BCRs
With Safe Harbor on its last legs, and model clauses suffering from all manner of problems, then the final remaining solution available to data importers is Binding Corporate Rules. In themselves, BCRs are a fine solution and often thought of (rightly) as the gold standard for data exports from the EU - after all, they have to get reviewed and signed off by European regulators.
Further, the business adopting BCRs gets to draft them in a way that reflects the particular characteristics and needs of their organization and, once in place, BCRs can be self-managed by the business with minimal ongoing maintenance and regulatory oversight. The consequence of this is that they significantly reduce administrative burden and, for large organizations, even cost as compared with model clauses.
But their single biggest drawback is the lack of any simple approval or self-certification process. Adopting BCR, as anyone who’s been through the process knows, is not quick or straightforward. While the end result is undoubtedly positive, the regulatory approval process typically takes around 18 months from start to finish. Many organizations, faced with pressing data export needs, simply don’t have the time to hang around and so turn to quicker, off-the-shelf solutions.
So what do you do?
The simple reality right now is that Europe has no good solution for facilitating international data exports, which is in stark contrast to increasingly globalized movements and storage of data. Yet, be that as it may, data export compliance is an important component of European privacy law, and one that will not get any simpler in the short- to mid-term.
Businesses are therefore left to consider what will be the most appropriate solution for their needs. For US businesses, that will still often be Safe Harbor, but on the understanding that this cannot be relied upon as an “exclusive” solution for all their data exports needs and that, in many cases, they still need to be prepared to sign Model Clauses with important customers who insist on them.
What is the most appropriate data export strategy for an international business then? Here’s my suggestion:
- If you’re a US business, rely on Safe Harbor to the extent you can.
- Where you can’t, or if you are sending data to other non-EU countries, use Model Clauses (there’s really very little alternative).
- But, to provide a more effective longer term solution, start the process now of preparing for and adopting BCR. Once implemented, these will ultimately be a far more efficient solution that can replace the awkward pairing of Safe Harbor and Model Clause solutions.
So while there’s no good solution, with some careful strategizing and forward thinking, you may at least get to a place that is - for want of a better word - adequate.