ARTICLE
29 April 2016

Setback For EU-US Privacy Shield – How To Safely Get HR Data Across The Pond

O
Orrick

Contributor

Orrick logo
Orrick is a global law firm focused on serving the technology & innovation, energy & infrastructure and finance sectors. Founded over 150 years ago, Orrick has offices in 25+ markets worldwide. Financial Times selected Orrick as the Most Innovative Law Firm in North America for three years in a row.
Multinational companies with employees in the EU are facing the question how to legally transfer personal data.
United States Privacy

After the Court of Justice of the European Union declared the EU-U.S. Safe Harbor Framework invalid in October 2015, multinational companies with employees in the EU are facing the question how to legally transfer personal data. Current developments in the process of the proposed EU-U.S. Privacy Shield result in further uncertainty for companies relying on transatlantic data flows.

The EU-US Privacy Shield which is meant to regulate the transfer of personal data from Europe to the United States as a replacement to the Safe Harbor Framework was recently called into question by the Article 29 Working Party, an influential committee of the EU privacy regulators.

The Working Party is of the opinion that the current draft of the Privacy Shield will not provide adequate protection for personal data transferred to the US. It has expressed concern about commercial aspects as well as access by public authorities to data transferred under the Privacy Shield.

Orrick's European IP/IT & Data Privacy Practice Group recently published a Blog post about the main issues raised by the Working Party and possible consequences which can be found here.

For companies dependent on data flows between the EU and the U.S. it is of crucial importance to make sure they are legally performing their activities. Therefore, they need to consider the most appropriate alternative solution for transatlantic data transfers. This includes the transfer of employee-related data.

  • One option is to implement Model Clauses as part of standard terms and conditions with customers. There are EU Model Clause Contracts available; i. e. a set of EU approved clauses for data transfers.
  • Furthermore, companies have the possibility to establish intra-group agreements or binding corporate rules. The advantage of such corporate rules which are approved by EU data protection authorities is that it is not required to enter into a new contract for each new data transfer.
  • With regard to employee data to be transferred, an explicit consent by the employee can be a solution.

However, the appropriate solution depends on the nature of the respective business. For more detailed information on alternative solutions for transatlantic data transfers please confer the respective Blog post by Orrick's global Cybersecurity & Data Privacy team.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More