Last time, we gave witness to the demise of the EU-US Privacy Shield program. I promised you I would explain who might be able to take advantage of one of the last grounds remaining to import personal data to the US from the EU. That remaining ground is that “the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject’s request,” allowed under Article 49 of the GDPR.
Necessity of the Contract
The Article 29 Working Party has proffered guidelines on how to apply the test to determine when a transfer is “necessary” for the performance of a contract. One common example for Privacy Shield companies is that it processes information from an EU retailer or service provider for payment processing purposes. More broadly even, plenty of EU companies use US-based web hosting and CMS. Unfortunately, these are not the examples the Working Party chose to analyze. The example they offer instead for when the transfer is “necessary” is the following:
this derogation could be used as a legal ground for example for the transfer by travel agents of personal data concerning their individual clients to hotels or to other commercial partners that would be called upon in the organization of these clients’ stay abroad.
So if an EU person wants to stay in a US hotel, the hotel can have their information. That’s a relief, I suppose. Snark aside, it does appear that this example would similarly allow U.S. trademark lawyers to collect information on EU clients for the purpose of filing their U.S. trademark application, particularly since U.S. (and Canadian) lawyers are the only lawyers allowed to practice in front of the U.S. Patent & Trademark Office.
When the Processing Isn’t “Necessary”
But it’s not at all clear that this example applies to our US-based e-commerce and CMS platforms. View the following example from the Article 29 Working Party Guidelines for when this contractual necessity would NOT apply:
This derogation cannot be used for example when a corporate group has, for business purposes, centralized its payment and human resources management functions for all its staff in a third country as there is no direct and objective link between the performance of the employment contract and such transfer.
PSSSSHHHHH. So if there any multi-nationals who use a payroll processor whose offices are all in the US, they’re going to be looking for a new payroll processor pretty soon.
OK, so payroll in the US isn’t necessary enough for performance of the employment contract. A contract for the simple purchase of goods or services online might have a more direct link with the necessity for order processing (and certainly if the data subject themselves ordered the goods from a US retailer). But are order processing and payroll services really remarkably different? It’s not like there aren’t alternatives in countries lacking the FISA problems the US has. But “available alternatives” are not the test, so I digress. One difference between the employee payroll system and an e-commerce platform is that the e-commerce company is much more likely to be able to claim that the processing of any single data subjects’ information is “occasional,” which under Article 49 is the other requirement. But you’d have to have both “necessity and “occasionality,” and I’m not sure we can claim the first one.
Clauses + Contract = Solution?
So did I promise you last time that there was one ground left and then pull it out from under you? I don’t know yet. For now we’re going to cobble together Article 49 with what’s left of the Standard Contractual Clauses, and as Omer Tene of the International Association of Privacy Professionals put it today,
8. For former Privacy Shield companies the advice is sign SCCs, do a TIA (transfer impact analysis), get an opinion stating the laws of [FILL IN COUNTRY NAME] don’t prevent the importer from complying, encrypt data in transit (if you haven’t prior), carry on and hope for best.
— Omer Tene (@omertene) July 24, 2020
The post The Death of Privacy Shield and The “Necessity” of Processing appeared first on Aaron Sanders Law.