1) ALERT Privacy OCTOBER 2015 No Safe Harbor for EU-U.S. Data Transfers by Ieuan Jolly, Partner In a landmark decision with immediate repercussions is transferred offers an adequate level of protection for both American and European companies, Europe’s for that data. The European Commission does not highest court, the Court of Justice of the European consider that the U.S. has privacy laws that offer Union (CJEU), ruled that the EU-U.S. Safe Harbor this level of protection. “Safe Harbor” was originally framework enabling data transfers of personal data created by the European Commission and the U.S. between the EU and U.S. is invalid. The decision Department of Commerce as a framework that would means that thousands of American companies enable U.S.-based companies to overcome the that handle the personal data of European citizens restrictions on transfers of personal data from Europe may no longer rely on Safe Harbor certification to by self-certifying that their data protection practices legitimize data transfers from the EU to the U.S. These adequately address the European Commission’s core companies — and EU-based businesses and their privacy principles. affiliates that transfer personal data to the U.S. in the course of doing business — must now implement other mechanisms for data transfers, or risk claims that these transfers are unlawful. The CJEU’s landmark decision follows a dispute between an Austrian citizen and the Irish Data Protection Authority, in relation to concerns about the transfer of the claimant’s personal data by Facebook Below, we outline the commercial implications of the to the U.S. under the Safe Harbor framework. decision for cross-border data transfers from Europe The claimant focused on the fact that the privacy to the U.S., identify which companies will be affected laws of the U.S. do not offer sufficient protection and provide some immediate steps that companies against such surveillance by the U.S. government, can take to achieve continued compliance for their particularly in light of revelations made by Edward international data transfers. Snowden concerning the surveillance activities of the U.S. intelligence services. The CJEU was asked to Background to the Ruling determine whether the Data Protection Authorities The EU Data Protection Directive permits the transfer of EU Member States are bound by the European of personal data to countries outside the European Economic Area only if the country to which the data Los Angeles New York Chicago Nashville This publication may constitute “Attorney Advertising” under the New York Rules of Professional Conduct and under the law of other jurisdictions. Washington, DC Beijing Hong Kong www.loeb.com 

2) Commission’s ruling on the adequacy of the data protections afforded by the Safe Harbor framework. In its decision, the CJEU went beyond this specific question and declared that the Safe Harbor framework does not provide an adequate level of protection for personal data transferred from the EU to the U.S., n  ultinationals M that had previously relied on their Safe Harbor certification to legitimize intragroup transfers of personal data from EU subsidiaries to their U.S. parent company or other U.S.-based affiliates will need to implement an alternative mechanism. identifying a number of factors, including that the Safe What Alternative Options Are There to Harbor could not prevent access by U.S. intelligence Safe Harbor? authorities to personal data transferred from the EU, and because it provides EU citizens with limited means of judicial redress in the U.S. Who Is Impacted and How? The ruling has an immediate impact on a wide range of companies, with four groups of businesses being high on the watch list: n  .S.U based service providers certified under Safe Harbor to receive personal data from European customers will need to provide alternative assurances for those customers to be able to use their services lawfully. This would include vendors providing data hosting, storage, cloud solutions, The (i) focus of your business, (ii) nature of the data transfers you engage in and (iii) entities involved in the data transfer (e.g., service providers, partners, intracompany groups, etc.) will determine which solution is most appropriate, but possible alternatives to achieve compliance with the EU rules on data transfers include: n  Incorporating EU Commission-approved Standard Contractual Clauses (SCCs) — a special type of data-processing agreement — as part of standard terms and conditions governing business relationships. n  eveloping D “Binding Corporate Rules” for the SaaS, data analytics and social networks, and a transfer of personal data between entities within range of other businesses that have built their data an international corporate group that agree to transfer models on Safe Harbor. detailed data-sharing protocols that are reviewed n  U-based E companies on the buy-side that have engaged the services of U.S.-based companies will need to consider on what basis they can and agreed on by various Data Protection Authorities (DPAs). n  btaining O the consent of EU data subjects to the lawfully transfer personal data to the U.S., now that transfer of their personal data to the U.S. (however, transfers of such data to the U.S. previously relying this option is often logistically difficult and needs on Safe Harbor would be considered unlawful. to be used with care — particularly in the context n  U-based E data processors, such as cloud storage companies, that would typically host some or all of their data in the U.S. and that had previously relied of transferring HR data — and is likely to be scrutinized by national DPAs and courts). n  eeping K data within the EU by using a local data- on Safe Harbor to effect transfers of personal data processing facility or EU-based group entity as the to the U.S. will need to consider alternative options. customer-facing service provider. 

3) What Steps Should You Take? with laws, change control, liability and termination provisions). Companies should consider the following measures if their data transfers are impacted by the Safe Harbor decision: n  s A a general matter, initiate a complete audit of data transfers to identify transfers that were undertaken n  or F personal data from EU businesses under the Safe Harbor:   onsider what data transfer mechanism is the C n in reliance on the Safe Harbor. most appropriate for your business. Can you enter into the SCCs? Could you provide the   eview all entities with which you engage in R n services using servers within the EU or without EU-U.S. data transfers — including nonaffiliated transferring personal data outside the European companies, business partners and intracompany Economic Area? groups — and see what data transfer scheme is used by those entities.   eview the data transfer mechanisms you rely R n on to transfer personal data, and identify any that are based on the Safe Harbor.   Identify the types of personal data and use cases n U.S.-based service providers that receive   eview your contracts to understand the R n implications of not being able to rely on Safe Harbor for data transfers. Consider whether this development puts you in breach of specific contractual obligations or gives the customer rights to force you to adopt alternative data for those datasets that you are transferring to transfer mechanisms, or allows the customer to the U.S. Prioritize addressing the transfers of terminate the contract. high volumes of personal data and sensitive personal data (e.g., health information, financial information, information about political or religious beliefs or sexual preference). n  or F EU-based business customers that have engaged U.S.-based service providers:   eview contracts with third-party vendors to R n determine which contracts include data transfers n  or F businesses that are considering engaging a new service provider that will receive personal data in the U.S. from the EU, make sure that they are not relying on their Safe Harbor certification to legitimize that transfer. You should include in the contract appropriate compliance methods, or use the SCCs to effect the transfers. n  or F multinationals requiring intragroup transfers under Safe Harbor certification, and consider of HR data, consider implementing intragroup appropriate alternatives for data transfer. agreements and Binding Corporate Rules.   onsider whether you can force the U.S. service C n providers to sign up to the SCCs, or what rights you have under your contract to require the U.S. service providers to comply (e.g., consider provisions governing compliance Alternatively, if operationally feasible, consider whether you can process employee data within the EU or locate a centralized HR repository within the EU. 

4) Cross-border data transfers are a complex area requiring careful consideration of international data This alert is a publication of Loeb & Loeb and is intended to provide information on recent legal developments. This alert does not create or continue an attorney client relationship nor should it be construed as protection frameworks and commercial contract legal advice or an opinion on specific situations. analysis. For tailored advice on the impact of the EU © 2015 Loeb & Loeb LLP. All rights reserved. ruling on your business and advice on next steps you should take, please contact Ieuan Jolly at ijolly@loeb.com. Advanced Media and Technology Practice KENNETH A. ADLER kadler@loeb.com 212.407.4284 JESSICA B. LEE jblee@loeb.com 212.407.4073 ELIZABETH J. ALLEN eallen@loeb.com 312.464.3102 SCOTT S. LIEBMAN sliebman@loeb.com 212.407.4838 AMIR AZARAN aazaran@loeb.com 312.464.3330 DAVID G. MALLEN dmallen@loeb.com 212.407.4286 IVY KAGAN BIERMAN ibierman@loeb.com 310.282.2327 DOUGLAS N. MASTERS dmasters@loeb.com 312.464.3144 ccarbone@loeb.com 212.407.4852 NERISSA COYLE MCGINN nmcginn@loeb.com 312.464.3130 tcarmichael@loeb.com 212.407.4225 ANNE KENNEDY MCGUIRE amcguire@loeb.com 212.407.4143 mchamlin@loeb.com 212.407.4855 DANIEL G. MURPHY dmurphy@loeb.com 310.282.2215 mcharendoff@loeb.com 212.407.4069 BRIAN NIXON bnixon@loeb.com 202.618.5013 aclarke@loeb.com 310.282.22240 ELISABETH O'NEILL loneill@loeb.com 312.464.3149 pdownes@loeb.com 310.282.2352 SUE K. PAIK spaik@loeb.com 312.464.3119 cemanuel@loeb.com 310.282.2262 ANGELA PROVENCIO aprovencio@loeb.com 312.464.3123 kflorin@loeb.com 212.407.4966 KELI M. ROGERS-LOPEZ krogers-lopez@loeb.com 310.282.2306 DANIEL D. FROHLING dfrohling@loeb.com 312.464.3122 SETH A. ROSE srose@loeb.com 312.464.3177 NOREEN P. GOSSELIN ngosselin@loeb.com 312.464.3179 ROBERT MICHAEL SANCHEZ rsanchez@loeb.com 212.407.4173 DAVID W. GRACE dgrace@loeb.com 310.282.2108 ALISON SCHWARTZ aschwartz@loeb.com 312.464.3169 NATHAN J. HOLE nhole@loeb.com 312.464.3110 MEREDITH SILLER msiller@loeb.com 310.282.2294 mhoward@loeb.com 310.282.2143 BARRY I. SLOTNICK bslotnick@loeb.com 212.407.4162 tjirgal@loeb.com 312.464.3150 BRIAN R. SOCOLOW bsocolow@loeb.com 212.407.4872 ijolly@loeb.com 212.407.4810 AKIBA STERN astern@loeb.com 212.407.4235 ckaplan@loeb.com 212.407.4142 JAMES D. TAYLOR jtaylor@loeb.com 212.407.4895 ELIZABETH H. KIM ekim@loeb.com 212.407.4928 JILL WESTMORELAND jwestmoreland@loeb.com 212.407.4019 JANICE D. KUBOW jkubow@loeb.com 212.407.4191 DEBRA A. WHITE dwhite@loeb.com 212.407.4216 jland@loeb.com 312.464.3161 MICHAEL P. ZWEIG mzweig@loeb.com 212.407.4960 CHRISTIAN D. CARBONE TAMARA CARMICHAEL MARC CHAMLIN MEG CHARENDOFF ALESON CLARKE PATRICK N. DOWNES CRAIG A. EMANUEL KENNETH R. FLORIN MELANIE J. HOWARD THOMAS P. JIRGAL IEUAN JOLLY CAROL M. KAPLAN JULIE E. LAND