Cross-border transfers of human resources data are the lifeblood of U.S. multinationals that centrally manage their global workforce from the parent corporation’s U.S. headquarters. Without these transfers, payroll and benefits, network access and online communications, succession planning, and myriad other functions fundamental to a global organization would grind to a halt. For nearly two decades, thousands of U.S. multinationals have relied on the special trans-Atlantic arrangement for cross-border data transfers — first, the Safe Harbor Framework and, after its invalidation in "Schrems I," the EU-U.S. Privacy Shield Framework — or the standard contractual clauses to lawfully transfer the personal data of job applicants and current and former employees located in the EU and U.S.
The July 16 decision by the Court of Justice of the European Union in “Schrems II” could severely upend global HR administration for U.S. multinationals with a European workforce.
By invalidating Privacy Shield and putting in doubt the continued viability of SCCs for EU-U.S. HR data transfers, "Schrems II" potentially could leave U.S. multinational employers with no practical options for the continued integration of their European workforce into their global operations. Consequently, U.S. multinational employers must understand “Schrems II’s” impact on them and start to evaluate the short- and long-term action items in response.
Transferring HR data from the EU to the US before ‘Schrems II’
Trans-Atlantic transfers of HR data are a daily occurrence within U.S. multinational corporations. On any given day, HR stakeholders and supervisory personnel in the EU may upload personal data concerning EU employees to a global human resources information system and other business applications maintained on servers in the U.S. and send to their U.S. counterparts emails, electronic files or other documents containing the personal data of EU applicants and employees. These data transfers are critical to a U.S. multinational’s global administration of its workforce.
U.S. multinational employers have relied heavily on Privacy Shield and SCCs to transfer HR data from the EU to the U.S. For organizations that centralize all HR databases and operations at the parent corporation’s U.S. headquarters, Privacy Shield allowed a seamless flow of HR data from the EU under the aegis of the organization’s certification. In contrast, U.S. multinational employers with more decentralized HR operations tend to rely on the SCCs. By executing SCCs with all global affiliates, the multinational employer can transfer HR data to its subsidiaries across the globe. For example, the regional HR headquarters for Europe, the Middle East and Africa might outsource HR data entry to a subsidiary in India with lower labor costs.
Both Privacy Shield and SCCs are critical to employers because of the lack of viable alternatives. Although the EU General Data Protection Regulation recognizes that a data subject’s explicit consent is a permissible derogation from the GDPR’s general rule prohibiting cross-border data transfers, employee consent cannot be used to justify transfers of HR data. The European Data Protection Board has opined that the imbalance of power in the employment relationship renders employees’ consent presumptively invalid.
U.S. multinational employers could, in theory, transfer EU personal data to the U.S. based on binding corporate rules that satisfy the GDPR’s requirements. However, BCRs must be tailored for each organization’s own data-handling processes and approved by the data protection regulator in each EU member state where the U.S. multinational has employees. Consequently, BCRs are expensive and time-consuming to implement and more than most HR professionals and budgets can handle.
Implications for U.S. multinational employers of the CJEU’s decision invalidating Privacy Shield and putting in doubt the use of SCCs
The CJEU’s decision in “Schrems II” had two key holdings for U.S. multinational employers.
First, it invalidated Privacy Shield based primarily on the fact that it allows U.S. intelligence agencies to access in bulk personal data transferred from the EU to the U.S., and EU residents have no recourse to an independent, judicial mechanism to challenge alleged data protection violations. According to the CJEU, this means that Privacy Shield does not provide an adequate level of protection for transferred personal data as required by the GDPR.
Second, the CJEU upheld the validity of the SCCs as a data transfer mechanism. However, the court also ruled that EU data protection authorities have the power to suspend transfers of personal data from the EU to a third country, such as the U.S., after determining that the third country’s laws interfere with the data importer’s ability to comply with the SCCs’ requirements. The CJEU did not address whether U.S. laws that permit U.S. intelligence agencies to access transferred personal data in bulk and without judicial recourse undercut the viability of the SCCs as applied to data transfers between the EU and the U.S. However, in light of the CJEU’s invalidation of Privacy Shield, the underlying proceeding in Ireland could result in a finding that the SCCs do not provide adequate protection for data transferred from Ireland to the U.S.
The CJEU's decision has the potential to severely disrupt U.S. multinationals' administration of their global workforce. Those who have relied on Privacy Shield to transfer personal data from their EU subsidiaries to the U.S. parent corporation and U.S. affiliates, or to U.S.- based service providers supporting global HR administration, will need to identify an alternative data transfer mechanism.
The alternatives, however, are limited. BCRs are not a practical solution for many U.S. multinational employers because of their complexity and the required investment of time and budget to implement them. At the same time, the European Data Protection Board has effectively eliminated consent as an option for cross-border transfers of employees’ personal data. While SCCs remain valid, their utility as a data transfer mechanism could be short-lived. The CJEU’s decision may be used in the underlying proceedings in Ireland to support the suspension of data transfers between Ireland and the U.S.
Such a decision could cascade into a pan-European ban on data transfers to the United States based on SCCs.
Next steps for US multinational employers
Given the potentially serious implications of the CJEU’s decision for U.S. multinational employers, what are possible next steps?
First, there is no need to panic, yet. The CJEU’s decision impacts thousands of businesses on both sides of the Atlantic. EU and U.S. authorities are under tremendous political and economic pressure to develop an alternative approach before a final judgment is issued in the Irish proceeding suspending data transfers from Ireland to the U.S. based on SCCs. Representatives from both sides have already expressed their commitment to finding a practicable solution. In addition, in 2015, when the CJEU invalidated the Safe Harbor, EU DPAs stayed enforcement for more than two months to give organizations time to address that decision. EU DPAs likely will announce a similar suspension in response to “Schrems II.”
In the interim, U.S. multinational employers should consider taking the following steps.
- Identify data transfers based on Privacy Shield: Identify all transfers of HR data that relied on Privacy Shield. When reviewing transfers, do not forget those to service providers. Organizations that rely on SCCs for intragroup transfers of HR data may rely on Privacy Shield for transfers of HR data from EU subsidiaries to at least some service providers located in the U.S.
- Transition from Privacy Shield to SCCs: To the extent an organization has relied on Privacy Shield for intragroup transfers of HR data, the organization should consider transitioning to SCCs with the understanding that this may be a temporary solution depending on the outcome of the Irish proceedings. Notably, the European Commission may issue a new version of the SCCs, but any such new version likely will incorporate many elements of the existing SCCs. Therefore, time spent transitioning from Privacy Shield to the current SCCs may bring the organization much of the way to complying with any soon-to-be-issued new version.
- Propose SCCs to service providers that relied on Privacy Shield: Many service providers that help U.S. multinationals to manage their global workforce had relied on Privacy Shield. These employers should consider proposing SCCs to service providers that had relied on Privacy Shield.
- Revise data-processing notices: The GDPR requires employers to provide data-processing notices to EU residents who are applicants, employees and independent contractors. These notices must address whether personal data is transferred outside the EU and, if so, identify the approved data transfer mechanism. Employers that had relied on Privacy Shield will need to revise these notices to reflect the replacement data transfer mechanism that they implement.
- Continue to comply with Privacy Shield: Organizations that certified to Privacy Shield must continue to comply with the Privacy Shield Principles for the duration of the certification. Organizations can withdraw from Privacy Shield by formally submitting a request to withdraw. However, if the organization retains personal data received on the basis of its Privacy Shield certification, the organization must continue to provide adequate data protection for that data, such as through SCCs.
- Watch for political developments: Remarks from members of the European Commission in the wake of the CJEU’s decision reflect their recognition of the decision’s wide-ranging impact. U.S. multinational employers should expect public announcements over the coming weeks from the European Commission, EDPB, and/or other EU or U.S. governmental authorities that should provide direction on additional next steps.
Photo by Anders Jildén on Unsplash