Jay Cline, CIPP, and Leonardo Cervera Navas
In the past two years, the U.S. and the EU have found themselves at odds on at least six different types of EU personal data transfers to the U.S. Europeans generally have viewed these transfers as disproportionate for the intended purposes, violating the very sense of privacy. Americans have countered that the purposes for transferring the data are legitimate, and don't pose a material risk of harm to the data subjects. Existing mechanisms for certifying these exchanges have proven difficult to resolve these disputes, and have fallen short of establishing a lasting transatlantic truce. Is it time to consider a new mechanism for cross-border data exports?
Origin of the Disputes
The EU Data Protection Directive in 1998 set in motion a series of events that have led to the current portfolio of privacy disputes between the transatlantic powers. Article 25 of the directive famously threatened to block flows of EU personal data to countries deemed by the EU to not ensure an adequate level of protection. Article 29 of the directive established a Working Party of EU data protection authorities who subsequently determined that U.S. privacy legislation did not justify an EU finding of adequacy.
U.S. multinationals, concerned about a major disruption in their global operations, enlisted the help of the U.S. Department of Commerce to start talks with the Commission. The late Barbara Wellbery, who headed the Electronic Task Force for the International Trade Administration within Commerce, led the U.S. team, and her counterpart was Susan Binns, Director in charge of data protection matters at the Commission. The two sides negotiated the landmark Safe Harbor Agreement in 2000, an imperfect but brilliantly innovative solution to meet business and privacy objectives.
Meanwhile, the European Commission granted adequacy findings for Switzerland, Hungary, Canada, Argentina and a few smaller countries. The commission also developed other alternative mechanisms, such as standard contractual clauses and Binding Corporate Rules (BCRs), to transfer personal data to third countries. Despite these positive developments, the fragile U.S.-EU consensus would be tested by the September 11, 2001 terrorist attacks and the War on Terror, as well as the general trends in the globalization of commerce.
Three Disputes Over Government-Mandated Transfers
The Western effort to disrupt Islamic terrorist networks has precipitated the two biggest EU-U.S. privacy clashes over airline-passenger and financial data held by the Society for Worldwide Interbank Financial Telecommunica-tion (SWIFT), a Belgium-based consortium that operates a worldwide financial messaging network. New U.S. federal rules on e-discovery have further complicated relations. In each case, the EU has argued that U.S. governmental authorities are requiring the transfer, retention and sharing of more personal information than is needed for U.S. national-security interests or its rule of law.
1. Transfer of EU Passenger Name Record (PNR) information. The U.S. requires that EU airlines flying to the U.S. supply up to 34 available data fields about passengers - including credit-card numbers, travel itineraries and addresses - or face fines of up to $6,000 per passenger and a possible loss of landing rights. According to various press reports, the Department of Homeland Security wanted 50-year retention of this information, direct data pulls from EU airline computers, pre-flight entry of data into a U.S. database by EU passengers, and access to this data by U.S. agencies involved in combating terrorism and pandemics such as the avian flu and tuberculosis. The EU conceded that using this data for anti-terror efforts is legitimate, but wanted shorter retention periods, EU airlines to push the data, anonymized data unless specific threats are identified, and tighter limits on which U.S. agencies could access the data.
Last month, the two sides announced a compromise: just 19 of the 34 data fields will be transferred to the U.S.; the EU will push the data, the U.S. won't pull it; the U.S. will retain "active" access to it for seven years, and more restricted access to "dormant" data for another eight years; and European national regulators remain competent to intervene and suspend PNR transfers in exceptional circumstances.
2. Transfer of EU financial information via SWIFT. In the frantic weeks following 9/11, President Bush issued a broad subpoena for the CIA, under the oversight of the Treasury Department, to gain access to SWIFT information to seek evidence of terrorist financing. In November 2006, EU data protection authorities unanimously recognized the legitimate purpose of the SWIFT transfers, but deemed them contrary to EU and national data protection laws. The two sides settled this dispute last month as well, whereby: electronic records of every data search will be kept; analysts will document the intelligence that justified each search; an outside auditor and mutually agreed-upon European will verify the searches are based on intelligence leads about suspected terrorists; SWIFT personnel stationed alongside intelligence officials could block inappropriate searches; the U.S. would retain the data no longer than five years; and SWIFT itself would adopt the Safe Harbor privacy principles. Banks that use SWIFT also will provide customers a privacy notice.
3. Transfer of EU personal data for legal discovery. Following a series of scandals in which U.S. corporations failed to preserve or produce records required for legal proceedings, the U.S. has amended its Federal Rules of Civil Procedure. Under the revised rules, which took effect in December 2006, businesses subject to U.S. law must: (1) Retain all documents that may be relevant to pending and foreseeable litigation; (2) Search and produce all relevant records when discovery has begun; and (3) Meet these obligations without regard for where the documents are located, or whether they are in electronic or paper format. The penalties for failing to do so may include adverse rulings in litigation, criminal sanctions and independent tort claims. Several U.S. companies have begun storing copies of all electronic files on centralized "litigation servers" to comply with the rules, ensure the files' preservation, and reduce the time and cost of retrieval. Transferring these records outside of the EU - especially before litigation arises - has prompted EU concerns about violations of their data protection laws.
4. The U.S. government isn't the only catalyst of these disputes. EU privacy advocates voiced similar concerns last year when their own governments approved the Communications Data Retention Directive, saying its 2-year retention period was disproportionately long for anti-terror purposes.
Three Corporate Conflicts
Smoldering in the background of these government disagreements are a number of staff-level clashes among the U.S. and EU sides of large corporations.
1. Transfer of EU employee data via Human Resources Information Systems. The first time many U.S. companies take notice of EU data-protection regulations is when they attempt to centralize their global human resources systems onto U.S.-based servers using PeopleSoft software. When EU counsel assist these projects, three issues often crop up: (1) The flows of data are considered global if database admininstrators in any region could access the data; (2) Access to the data is thought to be too extensive if everyone in an employee's reporting chain can see his information; and (3) If sensitive health, race, or religious information is transferred, it raises the question of whether the appropriate consent was obtained. Several EU countries, for example, incorporate a "church tax" into the payroll process, leading employers to routinely capture employees' religious affiliation. Meanwhile, American project managers face obstacles in that employee consent is infeasible; Safe Harbor membership only covers the EU-U.S. data flows, not the flows to Asia; model contracts are too limited to address all the possible data flows; and getting BCRs approved is a multiyear project itself.
2. Transfer of EU health information for medical research. U.S.-based pharmaceutical companies and biomedical-device makers routinely test their products on human subjects located where the companies intend to certify and sell their products, including Europe. The testing process inherently requires the collection of sensitive health information. If there are adverse reactions to their products, the U.S.-based staff at these companies want the ability to trace their research back to identifiable individuals to help them to improve their products, and also report the incidents, as required, to the Food and Drug Administration. But some European privacy counsel and commissioners, notably in France, have opposed the transfer of this information to the U.S., even where codes have replaced full names. They argue that such transfers do not technically meet the requirements of EU and French data-protection laws, which are very restrictive regarding the processing of so-called "sensitive data" revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership and health status.
3. Transfer of EU employee information in mergers & acquisitions. U.S.-based companies that acquire another company with offices in Europe are starting to discover another privacy-related hurdle: how and when to pull over the employee information of the company being acquired. American IT managers, under heavy pressure to make these mergers operationally smooth, can often only accomplish their objectives if they obtain the EU employees' information before the companies finalize the merger and by observing strict secrecy. In these cases, however, their EU counterparts may balk at the notion of providing the employee data without their consent, or some other suitable arrangement. American privacy officers, in turn, are hoping temporary model contracts or some other mechanism might address these concerns.
A New Mechanism?
The advents of the EU-U.S. Safe Harbor, and most recently, of BCRs, have not throttled down the number and intensity of cross-Atlantic privacy disputes, in particular where national-security considerations are in place. Despite the growing understanding on both sides of the Atlantic about these divergent approaches to privacy, some recent actions only have reinforced their stereotypes of each other as uncontrolled American cowboy and inefficient European bureaucrat.
UK Information Commissioner Richard Thomas, in his keynote address to the IAPP Summit in March 2007, tried to bridge this chasm by offering a potential solution: that Europe introduce the concept of harm into its considerations of what is proportionate and appropriate data processing from the adequacy of the protection point of view. If a certain data practice in a third country posed no direct or material harm to a person, but only harmed the concept of privacy at a theoretical level, perhaps certain bureaucratic requirements could be relaxed, he suggested. Thomas since has taken steps to retool his office's agenda in this direction.
It is perhaps important to recall that this notion of "direct or material harm" is considered as a "perversion" by other data protection authorities who are not willing to consider this idea. To them, fundamental rights must be respected in all circumstances, no matter whether its
violation is likely to cause direct or material harm.
What would this principle look like in practice? In honor of the commissioner, we offer the Thomas Test - a set of three requirements for transfers of data outside the EU that, if implemented, would meet the European standard of adequacy ipso facto apart from any government-based certification process:
(1) The transfer serves a legitimate, lawful, public interest, in the opinion of a party independent of the interests at stake in the transaction. The party could be an internal or external auditor;
(2) The data transferred is limited to the files, fields and time frame necessary - in the view of the independent overseer - filtering in the EU and anonymizing where feasible.
(3) The data transferred is protected with measures consistent with the EU's or Federal Trade Commission's prevailing standard of reasonableness, whereby the recipient organization must be able to produce upon request evidence of its reasonable measures.
Absent from these requirements are obligations to give notice to, and obtain consent from, the data subjects for the international transfer of their data. Why? Because these three requirements, in and of themselves, should make immaterial the risk of harm to individuals of transferring their data across borders. That is why we call it the Thomas Test.
To a certain extent, these proposed requirements seem to be the core components of the agreements currently being discussed and explored in the six disputes profiled in this article, and are likely to serve as a general framework for the resolution of other disputes that will inevitably surface. Something around the Thomas Test, if agreement could be built among European data protection authorities, could be a useful addition to the growing list of ways that organizations can legitimately protect privacy while enabling the free flow of information for global commerce.
Jay Cline, CIPP, and Leonardo Cervera Navas, won Morrison & Foerster's 2005 Barbara Wellbery Award for their proposals to improve international privacy harmonization, and continue to collaborate toward that end. Cline is President of Minnesota Privacy Consultants, which assists companies with global privacy compliance. He may be reached at
. Cervera worked in the data protection unit of the European Commission until February 2005, and now serves in the copyright unit of the Commission. Cervera will be a visiting scholar at Duke University for the upcoming academic year. He may be reached at
All opinions expressed in this article are personal and do not represent the views of the European Commission.