Data privacy has become a fraught aspect of in-house counsel’s lives, particularly when employee data is exported across a global network. The issue of data protection dominated Heinz European general counsel Janice More’s workload for much of 2010.
In mid-2009 Heinz began looking at putting in place some new IT systems, with a staggered start date across different jurisdictions, giving rise to the issue of transfer of personal data from the EU into the US.
The transfer of personal data from Europe is strictly governed by a set of data protection principles, notably the eighth principle, which states that “personal data shall not be transferred to a country or territory outside the European Economic Area [EEA] unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data”.
Unfortunately, there is no standard mechanism that companies can use to deal with cross-border dataflows. Companies have to impose what data protection lawyers call a ’mix and match’ solution in the context of considerable debate over current European Commission provisions.
“The primary objective of the Heinz data compliance project was to ensure compliance with data privacy where Heinz employee data might be exported across our international network of offices and businesses,” explains More. “In particular, we wanted to ensure that staff data which might be exported outside the home countries and even outside Europe – no matter where to – would be exported in a fully compliant manner from a data privacy perspective across our network.
“Although initially the requirement was to ensure we could export data from Europe to the US we decided that it was important to find a global solution if possible. This would allow us to ensure consistency and, additionally, would give us global compliance assurance.”
Examining the options
At first More and her external advisers at Freshfields Bruckhaus Deringer examined the favoured option of a number of companies – the US Safe Harbor protocol. This allows US-headquartered companies (of which Heinz is one) to sign up to a self-regulatory regime which is taken to satisfy EU standards of ’adequacy’.
Although this approach has found favour with many companies, not least because it is primarily self-regulatory, some have found drawbacks in that there are restrictions on onward data transfers from the US that can cause problems. More pertinently for Heinz, Safe Harbor has to be renewed every 12 months.
“We did look at this option, but felt it was a sledgehammer to crack a nut,” says More. “It’s a major process to go through. We’d have had to certify each year and satisfy the Department of Justice that we were fully compliant, and we’d have had to take on extra people to make sure we could certify.”
The second option, used by a number of organisations, was the Binding Corporate Rules (BCRs) approach, whereby a company is allowed to establish its own scheme of internal contracts that commit the company to adhere to an appropriate level of data protection. But the level of acceptance of BCRs varies between European jurisdictions. “We felt that these could take many months, if not as long as one to two years, to finalise, which was unattractive,” says More.
Crucially, BCRs would not have solved the problem of transfer of data outside the EU as they are designed primarily to facilitate data transfer between EU jurisdictions.
More and her team decided to opt for a customised approach of model clauses. EU-approved model clauses may become more popular with companies following the March 2010 updating of the EU data protection regime, which is intended to simplify dataflows by allowing onward transfers of personal data from a non-EEA entity to subcontractors also located outside the EEA. This is designed to address the previous flaws within model clauses, which tended not to reflect the reality of complex outsourcing arrangements. Although Heinz does not fall into this category, the model clauses approach ended up being the most suitable for the company’s data needs.
Minimal bells and whistles
“The solution we came up with involved the use of a series of data transfer agreements between our offices and the US – where our HQ is and also where data would be exported – and common sets of notices to staff across our network,”
This approach also took into account differing regulatory approaches to data protection across the EU.
“When I compared data export agreements between affiliates it seemed much less inflexible than the Safe Harbor provisions,” More adds. “While bells and whistles were needed in certain jurisdictions, we kept these to a minimum.
“There’s no perfect solution. We wanted a flexible, commercial solution which would offer legal compliance globally but was not overengineered or too time- and resource-consuming.”
- Check local legislation even within Europe before exporting personal data to ensure compliance with all local requirements: even within Europe there are differing levels of restrictions and attitudes by regulators towards enforcement. For example, Spain and Germany are significantly more restrictive and vigilant than the UK.
- Remember that model clauses are more flexible and faster to organise than Safe Harbor certification of the data importer: Safe Harbor applies only to Europe and the US.
- Consider hiring a privacy officer for compliance.
- Involve HR and IT staff locally to help develop and implement this.
- Take privacy lightly: infringements can lead to serious fines in some countries and cause incalculable reputational damage.
- Assume privacy legislation is the same across Europe: in spite of European legislation, rules vary from country to country.
- Underestimate the amount of work involved when implementing data export compliance: resource appropriately, and not just with lawyers.
- Underestimate the time it takes to implement privacy compliance, even with the quickest method (model clauses), especially when local permits are required or works councils have to be involved.