How does a company transfer data from the European Union (EU) to the US under the General Data Protection Regulation (GDPR) which went live on May 25, 2018? I recently had the opportunity to visit Jonathan Armstrong, partner at Cordery Compliance in London and an internationally renowned data privacy/data protection expert on this topic. Armstrong noted there have been some changes which may significantly impact this issue going forward. There are basically four ways to affect such a transfer. 

However, there is a method that many people may not realize is a data transfer as it involves reviewing data which sits on a server in the EU. This means that even if the data does not move out of the EU but you can access it from the US that counts as a data transfer as well. A fairly typical corporate example might be where your organization has a system for your employees that does that payroll and that payroll information is on a server in Belgium. Your Human Resources (HR) Department from the US can get into that server and extract data from it. This is a data transfer under GDPR. 

1. Consent.The first method to safely and legally transfer data is through consent. While this may work more easily in a B2B context, it is much more challenging in the employment context. Under GDPR an employer cannot require consent as a condition of employment. Moreover, this is carried over after the creation of the employment relationship in that an employee cannot give a valid consent. The reason is the EU holds the employer has undue influence over the employee and therefore no consent can be freely given. 

2. Standard Contractual Clauses or Model Clauses.Armstrong noted he expects to see new form clauses at some point from EU data regulators. However, he tempered this with caution that there is currently a court challenge at the European Court of Justice (ECJ), referred from the Irish Data Protection Commissioner. Once again, these standard contractual clauses in their current form are likely to face a number of legal challenges going forward, so they may well be less safe post-GDPR go live than there were before. 

3. Privacy Shield.Readers will recall that Privacy Shield was the regime put in place after the legal actions, led by Max Schrems, invalidated Safe Harbor. Armstrong believes that while “Privacy Shield is not dead yet, it's certainly unwell.” One reason is that there are many Europeans who do not believe that the current US administration is respecting privacy as well as it might. Even this past week, US Secretary of Commerce Wilbur Ross, criticized GDPR in an op-ed piece in the Financial Timesarguing the law was unclear, no guidance has been provided by regulators, it favored privacy rights over security and would likely cause job losses in the US. 

Not that the Trump Administration is any friend of the EU (or data privacy for that matter) but if the European Commission is minded to retaliate, one easy way to do so would be to withdraw the Privacy Shield scheme. From the European legal perspective, Privacy Shield currently faces two faces challenges before the ECJ. These are likely to be heard in 12 to 18 months. Finally, the European Parliament and the several European data protection regulators are not fans of Privacy Shield and this has hampered progress since it was brought into force. Armstrong concluded by stating, “my gut feel would, would be the privacy shield will die. It is a question of when and not on privacy shield. Certainly, in a worse position now than it was on May 25th.” 

4. Binding Corporate Rules.Armstrong believes this is the one area for data transfer which has benefited from GDPR go-live. Under this scenario, an organization can go to any one of the EU data regulators ask it to be a group of companies lead regulator. From this point, the companies would put in place that system that is somewhat akin to Privacy Shield; including a series of commitments from all the other the entities which make up this the corporate network. These commitments are to each other. From there the lead regulator then reviews and assess then approve the entire network’s data privacy/data protection commitments. Finally, the lead regulator goes to such other regulators in the EU, supporting these Binding Corporate Rules. It is more streamlined approach for dealing with the plethora of regulators in the EU. 

Armstrong emphasized this is not a rubber stamp process but one which takes time and concerted effort. He estimated that it is an 18 month or so process. However, under GDPR there was the creation of a European Data Protection Board (EDPB) and one of its function is to help the process of getting Binding Corporate Rules approved more quickly. 

Armstrong concluded by cautioning there is still much fluidity in the mechanisms for data transfer. There still may be many changes from both the regulatory perspective and the legal perspectives through court challenges. He concluded by stating “vigilance is the watch word here.”