OneTrust_Square Banner_300x250_DD_ROS_01_19

Jay Cline, CIPP, and Leonardo Cervera Navas

In the past two years, the U.S. and the EU have found themselves at odds on at least six different types of EU personal data transfers to the U.S. Europeans generally have viewed these transfers as disproportionate for the intended purposes, violating the very sense of privacy. Americans have countered that the purposes for transferring the data are legitimate, and don't pose a material risk of harm to the data subjects. Existing mechanisms for certifying these exchanges have proven difficult to resolve these disputes, and have fallen short of establishing a lasting transatlantic truce. Is it time to consider a new mechanism for cross-border data exports?

Origin of the Disputes
The EU Data Protection Directive in 1998 set in motion a series of events that have led to the current portfolio of privacy disputes between the transatlantic powers. Article 25 of the directive famously threatened to block flows of EU personal data to countries deemed by the EU to not ensure an adequate level of protection. Article 29 of the directive established a Working Party of EU data protection authorities who subsequently determined that U.S. privacy legislation did not justify an EU finding of adequacy.

U.S. multinationals, concerned about a major disruption in their global operations, enlisted the help of the U.S. Department of Commerce to start talks with the Commission. The late Barbara Wellbery, who headed the Electronic Task Force for the International Trade Administration within Commerce, led the U.S. team, and her counterpart was Susan Binns, Director in charge of data protection matters at the Commission. The two sides negotiated the landmark Safe Harbor Agreement in 2000, an imperfect but brilliantly innovative solution to meet business and privacy objectives.

Meanwhile, the European Commission granted adequacy findings for Switzerland, Hungary, Canada, Argentina and a few smaller countries. The commission also developed other alternative mechanisms, such as standard contractual clauses and Binding Corporate Rules (BCRs), to transfer personal data to third countries. Despite these positive developments, the fragile U.S.-EU consensus would be tested by the September 11, 2001 terrorist attacks and the War on Terror, as well as the general trends in the globalization of commerce.

Three Disputes Over Government-Mandated Transfers
The Western effort to disrupt Islamic terrorist networks has precipitated the two biggest EU-U.S. privacy clashes over airline-passenger and financial data held by the Society for Worldwide Interbank Financial Telecommunica-tion (SWIFT), a Belgium-based consortium that operates a worldwide financial messaging network. New U.S. federal rules on e-discovery have further complicated relations. In each case, the EU has argued that U.S. governmental authorities are requiring the transfer, retention and sharing of more personal information than is needed for U.S. national-security interests or its rule of law.

1. Transfer of EU Passenger Name Record (PNR) information. The U.S. requires that EU airlines flying to the U.S. supply up to 34 available data fields about passengers - including credit-card numbers, travel itineraries and addresses - or face fines of up to $6,000 per passenger and a possible loss of landing rights. According to various press reports, the Department of Homeland Security wanted 50-year retention of this information, direct data pulls from EU airline computers, pre-flight entry of data into a U.S. database by EU passengers, and access to this data by U.S. agencies involved in combating terrorism and pandemics such as the avian flu and tuberculosis. The EU conceded that using this data for anti-terror efforts is legitimate, but wanted shorter retention periods, EU airlines to push the data, anonymized data unless specific threats are identified, and tighter limits on which U.S. agencies could access the data.

Last month, the two sides announced a compromise: just 19 of the 34 data fields will be transferred to the U.S.; the EU will push the data, the U.S. won't pull it; the U.S. will retain "active" access to it for seven years, and more restricted access to "dormant" data for another eight years; and European national regulators remain competent to intervene and suspend PNR transfers in exceptional circumstances.

2. Transfer of EU financial information via SWIFT. In the frantic weeks following 9/11, President Bush issued a broad subpoena for the CIA, under the oversight of the Treasury Department, to gain access to SWIFT information to seek evidence of terrorist financing. In November 2006, EU data protection authorities unanimously recognized the legitimate purpose of the SWIFT transfers, but deemed them contrary to EU and national data protection laws. The two sides settled this dispute last month as well, whereby: electronic records of every data search will be kept; analysts will document the intelligence that justified each search; an outside auditor and mutually agreed-upon European will verify the searches are based on intelligence leads about suspected terrorists; SWIFT personnel stationed alongside intelligence officials could block inappropriate searches; the U.S. would retain the data no longer than five years; and SWIFT itself would adopt the Safe Harbor privacy principles. Banks that use SWIFT also will provide customers a privacy notice.

3. Transfer of EU personal data for legal discovery.
Following a series of scandals in which U.S. corporations failed to preserve or produce records required for legal proceedings, the U.S. has amended its Federal Rules of Civil Procedure. Under the revised rules, which took effect in December 2006, businesses subject to U.S. law must: (1) Retain all documents that may be relevant to pending and foreseeable litigation; (2) Search and produce all relevant records when discovery has begun; and (3) Meet these obligations without regard for where the documents are located, or whether they are in electronic or paper format. The penalties for failing to do so may include adverse rulings in litigation, criminal sanctions and independent tort claims. Several U.S. companies have begun storing copies of all electronic files on centralized "litigation servers" to comply with the rules, ensure the files' preservation, and reduce the time and cost of retrieval. Transferring these records outside of the EU - especially before litigation arises - has prompted EU concerns about violations of their data protection laws.

4. The U.S. government isn't the only catalyst of these disputes. EU privacy advocates voiced similar concerns last year when their own governments approved the Communications Data Retention Directive, saying its 2-year retention period was disproportionately long for anti-terror purposes.

Three Corporate Conflicts
Smoldering in the background of these government disagreements are a number of staff-level clashes among the U.S. and EU sides of large corporations.

1. Transfer of EU employee data via Human Resources Information Systems. The first time many U.S. companies take notice of EU data-protection regulations is when they attempt to centralize their global human resources systems onto U.S.-based servers using PeopleSoft software. When EU counsel assist these projects, three issues often crop up: (1) The flows of data are considered global if database admininstrators in any region could access the data; (2) Access to the data is thought to be too extensive if everyone in an employee's reporting chain can see his information; and (3) If sensitive health, race, or religious information is transferred, it raises the question of whether the appropriate consent was obtained. Several EU countries, for example, incorporate a "church tax" into the payroll process, leading employers to routinely capture employees' religious affiliation. Meanwhile, American project managers face obstacles in that employee consent is infeasible; Safe Harbor membership only covers the EU-U.S. data flows, not the flows to Asia; model contracts are too limited to address all the possible data flows; and getting BCRs approved is a multiyear project itself.

2. Transfer of EU health information for medical research. U.S.-based pharmaceutical companies and biomedical-device makers routinely test their products on human subjects located where the companies intend to certify and sell their products, including Europe. The testing process inherently requires the collection of sensitive health information. If there are adverse reactions to their products, the U.S.-based staff at these companies want the ability to trace their research back to identifiable individuals to help them to improve their products, and also report the incidents, as required, to the Food and Drug Administration. But some European privacy counsel and commissioners, notably in France, have opposed the transfer of this information to the U.S., even where codes have replaced full names. They argue that such transfers do not technically meet the requirements of EU and French data-protection laws, which are very restrictive regarding the processing of so-called "sensitive data" revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership and health status.

3. Transfer of EU employee information in mergers & acquisitions. U.S.-based companies that acquire another company with offices in Europe are starting to discover another privacy-related hurdle: how and when to pull over the employee information of the company being acquired. American IT managers, under heavy pressure to make these mergers operationally smooth, can often only accomplish their objectives if they obtain the EU employees' information before the companies finalize the merger and by observing strict secrecy. In these cases, however, their EU counterparts may balk at the notion of providing the employee data without their consent, or some other suitable arrangement. American privacy officers, in turn, are hoping temporary model contracts or some other mechanism might address these concerns.

A New Mechanism?
The advents of the EU-U.S. Safe Harbor, and most recently, of BCRs, have not throttled down the number and intensity of cross-Atlantic privacy disputes, in particular where national-security considerations are in place. Despite the growing understanding on both sides of the Atlantic about these divergent approaches to privacy, some recent actions only have reinforced their stereotypes of each other as uncontrolled American cowboy and inefficient European bureaucrat.

UK Information Commissioner Richard Thomas, in his keynote address to the IAPP Summit in March 2007, tried to bridge this chasm by offering a potential solution: that Europe introduce the concept of harm into its considerations of what is proportionate and appropriate data processing from the adequacy of the protection point of view. If a certain data practice in a third country posed no direct or material harm to a person, but only harmed the concept of privacy at a theoretical level, perhaps certain bureaucratic requirements could be relaxed, he suggested. Thomas since has taken steps to retool his office's agenda in this direction. 

It is perhaps important to recall that this notion of "direct or material harm" is considered as a "perversion" by other data protection authorities who are not willing to consider this idea. To them, fundamental rights must be respected in all circumstances, no matter whether its
violation is likely to cause direct or material harm.

What would this principle look like in practice? In honor of the commissioner, we offer the Thomas Test - a set of three requirements for transfers of data outside the EU that, if implemented, would meet the European standard of adequacy ipso facto apart from any government-based certification process:

(1) The transfer serves a legitimate, lawful, public interest, in the opinion of a party independent of the interests at stake in the transaction. The party could be an internal or external auditor;

(2) The data transferred is limited to the files, fields and time frame necessary - in the view of the independent overseer - filtering in the EU and anonymizing where feasible.

(3) The data transferred is protected with measures consistent with the EU's or Federal Trade Commission's prevailing standard of reasonableness, whereby the recipient organization must be able to produce upon request evidence of its reasonable measures.

Absent from these requirements are obligations to give notice to, and obtain consent from, the data subjects for the international transfer of their data. Why? Because these three requirements, in and of themselves, should make immaterial the risk of harm to individuals of transferring their data across borders. That is why we call it the Thomas Test.

To a certain extent, these proposed requirements seem to be the core components of the agreements currently being discussed and explored in the six disputes profiled in this article, and are likely to serve as a general framework for the resolution of other disputes that will inevitably surface. Something around the Thomas Test, if agreement could be built among European data protection authorities, could be a useful addition to the growing list of ways that organizations can legitimately protect privacy while enabling the free flow of information for global commerce.

Jay Cline, CIPP, and Leonardo Cervera Navas, won Morrison & Foerster's 2005 Barbara Wellbery Award for their proposals to improve international privacy harmonization, and continue to collaborate toward that end. Cline is President of Minnesota Privacy Consultants, which assists companies with global privacy compliance. He may be reached at

This e-mail address is being protected from spam bots, you need JavaScript enabled to view it

. Cervera worked in the data protection unit of the European Commission until February 2005, and now serves in the copyright unit of the Commission. Cervera will be a visiting scholar at Duke University for the upcoming academic year. He may be reached at

This e-mail address is being protected from spam bots, you need JavaScript enabled to view it


All opinions expressed in this article are personal and do not represent the views of the European Commission.


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

The Privacy Core™ Library Has Evolved

Privacy Core™ e-learning essentials just expanded to include seven new units for marketers. Keep your data safe and your staff in the know!

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

Upcoming Web Conferences

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Team

Get your team up to speed on privacy by bringing IAPP training to your organization.

Let’s Get You DPO Ready

There’s no better time to train than right now! We have all the resources you need to meet the challenges of the GDPR.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.


The IAPP’S CIPP/E and CIPM are the ANSI/ISO-accredited, industry-recognized combination for DPO readiness. Learn more today.

Learn more about IAPP certification »

Are You Ready for the GDPR?

Check out the IAPP's EU Data Protection Reform page for all the tools and resources you need.

IAPP-OneTrust PIA Platform

New U.S. Government Agency privacy impact assessments - free to IAPP members!

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

Privacy Vendor List

Find a privacy vendor to meet your needs with our filterable list of global service providers.

More Resources »

Europe Data Protection Intensive 2017

The Intensive is sold out! But cancellations do happen—so hurry and get on the wait list in case more seats become available.

Global Privacy Summit 2017

The world’s premier privacy conference returns with the sharpest minds, unparalleled programs and preeminent networking opportunities. Early Bird ends TODAY.

Canada Privacy Symposium 2017

The Symposium returns to Toronto this spring and registration has opened! Take advantage of Early Bird rates and join your fellow privacy pros for another stellar program.

The Privacy Bar Section Forum 2017

The Privacy Bar Section Forum returns to Washington, DC April 21, delivering renowned keynote speakers and a distinguished panel of legal and privacy experts.

Asia Privacy Forum 2017

The Forum returns to Singapore for exclusive networking and intensive education on data protection trends and challenges in the Asia Pacific region. Call for Speakers open!

Privacy. Security. Risk. 2017

This year, we're bringing P.S.R. to San Diego. The Call for Speakers is now open. Submit today and be a part of something big! Submission deadline: February 26.

Europe Data Protection Congress 2017

European policy debate, multi-level strategic thinking and thought-provoking discussion. The Call for Speakers is open until March 19.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»