It is easy in today’s tech-oriented society to view the world through the lens of the internet as simply one big marketplace, abound with opportunities for entrepreneurs and emerging companies – and it certainly is. However the laws, regulations and policy decisions of different jurisdictions remind us that it is not always that simple, and laws, regulations and policy decisions can impair, or at least lag behind, technological advancement.
The 23 September 2015 decision from the Court of Justice of the European Union, or CJEU, highlighted this very point in declaring the Safe Harbor scheme, which allowed U.S. companies to transfer personal data from the European Economic Area, or EEA, to the U.S., invalid. The CJEU’s ruling does not mean an end to EEA-U.S. data transfers; but it does mean that you may need to give more thought to how you can transfer personal data internationally while staying compliant with EU data protection law.
- Am I transferring personal data out of the EEA?
- If so, can I seek consent to transfer the data from the data subject?
Whilst larger, more established companies may be able to set up servers in the EEA (or indeed, may already have done so) and thereby avoid the need to transfer any personal data out of the EEA, this is likely not feasible for many startups. In the aftermath of the Safe Harbor, there is no quick and easy solution to the problems, but we recommend that you consider the following:
Seek consent from the individual whose data is being transferred
Depending on how the data is accessed, captured and stored, the EU data protection laws do allow for personal data to be transferred to the U.S. when consent by the individual has been given. Consent needs to be very explicit, however and cannot be inferred from a failure to respond – such as to a simple banner notifying the individual their data may be transferred out of the EEA. If you transfer information from the EEA to the U.S., consider modifying your terms of service to include an affirmative consent to the transfer of personal information and also requiring European users to acknowledge the updated terms of service by affirmative clicking through it.
Enter into further contractual agreements
Another way to legitimise data transfers to the U.S. is to enter into what are known as model clauses prepared by European regulatory bodies. These are clauses that would appear in contracts between your company and the other party from whom you may be receiving personal data regarding European residents that state how the personal data may be treated and provides rights of recourse to the individuals whose data is being processed and transferred. These clauses cannot be amended (without prior approval by the local regulator), but may be supplemented, provided there is no conflict and the effect of the model clauses are not lost or altered in any way.
This is sure to be a dynamic area of the law over the coming months and years, so if your business involves transferring data from the EEA to the U.S., we recommend that you consult with knowledgeable counsel about how to continue those transfers while staying compliant with European law in light of the demise of the Safe Harbor arrangement.