In the final installment of this quarterly series, Stephen Bolinger, CIPP/E, CIPP/G, CIPP/US, CIPM, who spent years at tech giant Microsoft, shares some of the strategic and tactical decisions along the way as a first-time CPO at start-up TeleSign.
In the first three columns of this series, we looked at how startups and small companies can build a privacy policy, train employees and nurture a culture of privacy and build upon the basics to use privacy strategically. In this final column, we’ll look at how regulatory change can affect the already dynamic nature of a startup.
As a series of Monty Python sketches once said, “nobody expects the Spanish Inquisition!” I have to admit that I was one of the many privacy professionals who, for years, balked at the suggestion that Safe Harbor would cease to exist. So I was genuinely surprised at (and a bit bewildered by) the advocate general’s (AG) opinion and the European Court of Justice's (ECJ) final judgment in Schrems. Dealing with regulatory change can be difficult for any company, and even more so when you aren’t expecting it. In this article, I’ll be using the Safe Harbor situation as the context within which to describe how we’ve dealt with regulatory change here at TeleSign.
Reacting to regulatory change
Laws, regulations and the views of regulators naturally change over time. But those changes are generally slow evolutions or, in the case of new laws and regulations, things that the market can see coming long before they are in force. With the demise of Safe Harbor, the advance warning that most of industry had was the AG opinion issued the week before the ECJ's final ruling in Schrems. When an unexpected event like this arises, it’s important to move quickly to assess your immediate and longer-term options.
Data processors in the U.S. have three main options for addressing cross-border transfers in the absence of Safe Harbor: adopt the EC’s Standard Contractual Clauses for Data Processors (EU Model Clauses); pursue Binding Corporate Rules (BCRs) or do away with the transfers and bring everything (and I do mean everything) to the EU. The key distinction between processors and controllers in this circumstance is that consent is generally not a workable derogation for processors. As a global service provider and data processor ourselves, here's how we assessed each of these options at TeleSign.
EU model clauses
The EU model clauses are a set of standardized contractual clauses approved by the European Commission as a contractual way to legitimize transfers of personal data to countries outside of the EU that have not been found to provide adequate protection of personal data. There are sets intended for transfers between two controllers, and a set for transfers between an EU-based controller and a non-EU processor. In some EU member states, notification to or even prior approval of the supervisory authority is still required prior to conducting transfers on the basis of the model clauses. Nonetheless, their use has become commonplace among European businesses.
One of the key challenges that larger organizations face in using the EU model clauses is the obligation to flow those terms down to any vendors handling personal data (aka, subprocessors). Renegotiating new terms with vendors can be both difficult and time-consuming. For small companies, that is a minimal burden, as we only have a very small number of vendors working for us. Beyond that, there are audit clauses and data deletion clauses that give some organizations heartburn, but small companies will likely have already had customers insist on these types of terms even in the absence of the clauses.
When I first joined TeleSign, I was comfortable with relying upon Safe Harbor for transfers of personal data to the U.S., but I also expected that we would eventually encounter certain customers within Europe who would insist upon addressing cross-border transfers in a different way. I was involved early on in Microsoft’s effort to adopt the EU model clauses for its cloud computing services, and I expected that they would be central to the next version of TeleSign’s privacy and security terms.
We had already been in the process of rewriting our contractual privacy and security terms, including the integration of the clauses, so when the AG’s opinion was released, we simply accelerated this effort.
Binding corporate rules
Binding corporate rules (BCRs) are an option as well. However, they generally take more than a year to implement and to be approved by every supervisory authority in the EU. On top of that, they’re also an expensive option, as the whole process usually requires specialist assistance in the form of a consulting firm or outside law firm. The one caveat to all of the downside for BCRs for a small company is that the operational processes that are often the subject of much review will be easier to assess and adjust than they typically are for a large multi-national. Nonetheless, we ruled out BCRs in the near term due to the timing and expense involved.
When you’re out at sea and not feeling well, people will tell you to look out at the horizon. It’s supposed to help settle your stomach by giving broader spatial context to the motion under your feet. It’s similarly helpful to keep an eye on the horizon in the face of regulatory change. Doing so will help you both anticipate what’s coming next and keep your mind on where you’re going as an organization.
Data localization is not just about the data's location
A more drastic option to address the failure of Safe Harbor is to do away with cross-border transfers entirely. Throw everything into a European data center and call it done, right? Not so fast.
A settled principle of EU data protection law is that access of personal data from outside of the EU constitutes a transfer of that data to the country from which it is accessed. So moving a cloud service to an EU-hosted facility is only one part of this approach. For this to be a complete solution, companies also need to move customer and technical support staff, as well as operations staff into the EU, to the extent that any of these individuals need to access personal data stored in those EU data centers.
I’ve seen a number of announcements recently from large tech companies talking about offering their cloud services from EU-based data centers. But the only one which seems to address the operational and staffing component of the issue is Microsoft’s deal with T-Systems in Germany, through which T-Systems will take over the day-to-day operations of Microsoft’s cloud services for Germany, and any access by Microsoft would be subject to a customer’s consent.
Moving all data, staff and support services to the EU can be far too costly and logistically difficult for startups and small businesses to justify, especially in light of a reasonable alternative in the form of the EU model clauses. Nonetheless, if supervisory authorities reject transfers to the U.S. based on model clauses (see below), or EU customers insist on full provision of services within the EU, they should similarly expect the costs of cloud services to rise. Large service providers may be able to absorb the costs of a ring-fenced EU-only service, but smaller companies will need to recoup this additional costs. The greatest impact of such a result would be on both EU and U.S. small businesses.
Another Spanish Inquisition on the horizon?
When you’re out at sea and not feeling well, people will tell you to look out at the horizon. It’s supposed to help settle your stomach by giving broader spatial context to the motion under your feet. It’s similarly helpful to keep an eye on the horizon in the face of regulatory change. Doing so will help you both anticipate what’s coming next and keep your mind on where you’re going as an organization.
We looked to the horizon and saw the need for model clauses even before the Schrems decision, and that fortuitously allowed us to move quickly despite the sudden regulatory change. In fact, we’re already including them in our standard privacy and security terms and making them available to existing customers by way of amendment. This helps reinforce to our customers our commitment to ensuring that our services can be used by them in a privacy compliant manner. The EU Model Clauses will likely be the near term destination for many other organizations as well.
As for anticipating what comes next, the scope of the CJEU’s ruling in Schrems is so broad that any supervisory authority in the EU can call into question the sufficiency of Safe Harbor 2.0 (or EU model clauses, or BCRs, or adequacy findings!). But the advocate general’s opinion went even further when it analogized the rights of EU supervisory authorities to challenge EC decisions to asylum cases under the European Charter of Human Rights. In those cases, member states were justified in violating an EU regulation because to otherwise follow the law and send asylum seekers back to member state into which they first entered the EU would send them back to a country that was unlikely to protect the individuals’ fundamental human rights.
If this analogy is taken to its logical conclusion, then a supervisory authority in Germany (for argument’s sake) could challenge the transfer of personal data to the UK on the basis that German authority has determined that German citizens’ fundamental human rights to privacy would be violated in the UK, notwithstanding that both the UK and Germany are bound by Directive 95/46/EC or the forthcoming General Data Protection Regulation. This would undermine the entire notion of a harmonized approach to data protection.
In light of this newly recognized power of data protection supervisory authorities, it is reasonable to expect at least some of them to object to transfers based on Safe Harbor 2.0. This is exactly what is cautioned by over 40 privacy groups in a recent letter to U.S. and EU officials responsible for the renegotiation of a new Safe Harbor. Of course, some authorities may block transfers to the U.S. based on model clauses, too. We’ve already seen this approach—first from the supervisory authority from German länder Schleswig-Holstein, and subsequently from the entire collection of German supervisory authorities. This calls into question the value of joining a Safe Harbor 2.0 scheme that may only be valid for some EU member states and that subjects a U.S. organization to additional regulatory scrutiny at home.
For a Safe Harbor 2.0 to have meaning, the EU must have the power to bind all of its member states to the agreement. If it doesn't work in Schleswig-Holstein, then it doesn’t work at all.
The weeks since the Schrems decision have been turbulent not only for the privacy community, but for European and American businesses alike. And rightfully so. In 2012, the European Commission published a paper titled Unleashing the Potential of Cloud Computing in Europe. Within that paper, the EC proposed that the adoption and nurturing of cloud computing could bring to the EU “an overall cumulative impact on GDP of EUR 957 billion, and 3.8 million jobs, by 2020” (citing a 2012 IDC study). If the uncertainty of a reliable and harmonized approach for transfers of personal data out of the EU continues, the economic impact will be felt on both sides of the Atlantic, and the EC will need to revise its estimate.
Luckily, we are not often faced with such abrupt and significant regulatory changes. But if you expect the Spanish Inquisition, you’ll have a better shot of dealing with it if and when it comes.