The current European Privacy Directive 95/46/EC, as well as the EU General Data Protection Regulation (or “GDPR” in short), entering into force in May 2018, contain strict rules regarding the transfer / export of personal data outside the European Economic Area (“EEA”). While personal data may in principle freely circulate within the EEA, the transfer of personal data to countries outside the EEA is as a rule prohibited, unless the receiving country’s legislation guarantees an appropriate level of data protection. If this is not the case, only limited legal grounds are available to support the transfer of such information.
The US is currently not considered to provide an ‘adequate’ level of personal data protection. Therefore, a transfer of employee data to the US will require justification on the basis of one of the following legal grounds:
- Necessity for the performance of the employment contract. As discussed in our previous post, this legal ground is interpreted in a restrictive manner and will most likely not be of any avail in the context of compliance with US trade controls regulations.
- Unambiguous consent of the relevant employees. As discussed in our previous post, the validity of such consent (which has to be ‘freely’ given) is a heavily debated issue in an employment context. Given their subordinate relationship with their employer, employees may feel pressured to provide their consent, in which case the consent may be considered not freely given and thus invalid. On the other hand, if there are sufficient guarantees that consent is really free, the use of this legal ground is not completely excluded. In such case, difficulties will however inevitably arise if an employee indeed refuses to provide his or her consent or revokes it at a later time, making compliance with US trade controls regulations impossible.
- Other frequently used legal grounds for legitimizing data transfers to the US, are the implementation of data transfer agreements (e.g. with IT service providers) or Binding Corporate Rules (intra-group), and the self-certification mechanism for US companies under the EU-US Privacy Shield. However, these options are specifically designed for company-to-company data transfers and will in our view not be very useful in cases where the transfer of personal data is required by the US government authority.
- Finally, an EU-US data transfer will also be allowed if such transfer is necessary or legally required on important public interest grounds. In the present case, this legal ground, although probably not designed for this kind of transfer, would appear to be the most appropriate. However, in several opinions, the Article 29 Working Party (set up to provide guidance to companies on the interpretation and application of Directive 95/46/EC) has stated that it does not seem acceptable that a unilateral decision taken by a third country for reasons of its own public interest should lead to the routine and wholesale transfer of data protected under Directive 95/46/EC. The GDPR also explicitly states that any decision of an administrative authority of a third country requiring a company to transfer or disclose personal data may only be recognized or enforceable in any manner if based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the EU or an EU Member State. Foreign law will thus in principle still only be recognized as binding if the foreign law obligation for EU data controllers is expressly confirmed by EU law.
All in all, in the absence of a specific international agreement in this respect (cf. the International Agreement on the transfer of Passenger Name Records), it might in some circumstances be difficult to find appropriate legal grounds to justify EU-US exports of employee information for the purpose of compliance with US trade controls regulations. Ideally, this should be included in the dialogue between the EU and US authorities in order to find a solution that guarantees adequate protection for the data transmitted. In individual cases, companies may want to consult with their local data protection authority to find the best way forward.
One final, interesting thing to note is the additional legal ground that will be added to the above list once the GDPR enters into force. Where none of the other legal grounds or derogations is applicable, the GDPR will allow a transfer to a third country to take place if (i) the transfer is not repetitive, (ii) concerns only a limited number of individuals, (iii) is necessary for the purposes of compelling legitimate interests pursued by the company which are not overridden by the interests or rights and freedoms of the individuals concerned, and (iv) the company has assessed all the circumstances surrounding the data transfer and has on the basis of that assessment provided suitable safeguards with regard to the protection of personal data. If relying on this new legal ground, both the individuals concerned and the competent data protection authority controller will have to be informed of the transfer and of the compelling legitimate interests pursued. It will be interesting to see how this new legal ground will be applied in practice once the GDPR enters into force.
Next week, in our fourth and – for now- final post about this topic, we will discuss some new developments and recent changes in the US regulatory framework that may make it easier to balance labor and privacy law concerns with the need to gather employee information to comply with US trade controls regulations.
Authors of this post are:
- Belgium (finally) implements sanctions for violation of the EU Blocking Regulation - June 3, 2019
- Meet OFAC in Brussels and discuss the disruption of export control & sanction regimes by new technologies on 11 June 2018 - May 4, 2018
- Opposites attract: linking HS and ECN classification - February 21, 2017