EU-U.S. Data Transfer Turmoil: What It Means for Colleges and Universities

When personal data about European Union (EU) residents is transferred from the EU to the U.S., those data transfers are subject to the EU Data Protection Directive 95/46/EC (Directive). The Directive gives the European Commission (EC) authority to determine whether countries outside of the EU have data protection laws that "ensure an adequate level of protection" for EU personal data. Because the EU has not determined that the U.S. as a whole meets the adequacy standard, U.S. recipients of personal data from the EU must use EU-approved data transfer mechanisms. On October 6, the commercial world had the rug pulled out from under it when the European Court of Justice (ECJ) invalidated the U.S.-EU Safe Harbor Framework (Safe Harbor), which, until that point, had been the most popular and widely used of the EU-approved data transfer mechanisms. You can read more about the ECJ decision in our October 6 client alert.

The EU's invalidation of Safe Harbor has a limited direct impact on colleges and universities because Safe Harbor participants had to be subject to Federal Trade Commission jurisdiction, which does not extend to non-profit educational institutions. As a result, educational institutions have typically relied on other EU-approved data transfer mechanisms to transfer EU personal data to the U.S. These include standard contractual clauses and, in limited and appropriate circumstances, consent from the individual data subjects.

On the other hand, for-profit vendors or affiliated entities associated with colleges and universities have likely used Safe Harbor to support EU-U.S. data transfers and, if so, should promptly examine their options for continuing EU-U.S. data transfers. To the extent that colleges or universities have relied on vendors' Safe Harbor certifications to allow EU personal data to be processed on their behalf, they should ensure that those vendors transition to a permissible alternative immediately.

The ECJ decision is important to educational institutions because the basis for invalidating Safe Harbor—the extent of U.S. government surveillance and government access to personal data in the U.S.—applies equally to the other EU-approved data transfer mechanisms and also calls into question the validity of EU-U.S. data transfers generally. The ECJ decision also serves as a potent reminder that international data transfers always require special attention, including risk management considerations.

On October 16, the Article 29 Working Party (Art. 29 WP), which promulgated the EU Data Protection Directive and which comprises each EU member state's data protection authorities (DPAs) and representatives from the European Commission, provided U.S. companies with guidance about the practical implications of the October 6 European Union Court of Justice (ECJ) Safe Harbor decision. The Art. 29 WP provided the following five takeaways:

1. Safe Harbor is no longer a valid basis for EU-U.S. data transfers, and companies must find alternative solutions;
2. Standard Contractual Clauses and Binding Corporate Rules can still be used, at least for the time being;
3. Individual member state DPAs may investigate specific data transfers, such as on the basis of complaints against particular companies;
4. The DPAs expect the U.S. and EU to develop solutions to deal with the "massive and indiscriminate surveillance" in the U.S. and to provide an "adequate" framework by the end of January 2016; and
5. If no solution is found by the end of January 2016, then "EU data protection authorities are committed to take all necessary and appropriate actions, which may include coordinated enforcement actions."

Following the Art. 29 WP announcement, the German federal DPA and 16 German state DPAs released a position paper making clear that they are very skeptical about any EU-U.S. data transfers because of extensive U.S. government surveillance. That paper states, in short, that (1) German DPAs will not approve new authorizations for Binding Corporate Rules (BCRs) (another of the EU-approved data transfer mechanisms); (2) they will exercise their authority to audit standard contractual clauses; and (3) they will interpret "individual consent" very narrowly and make sure that it is not being used repeatedly or routinely. You can read more about individual EU member state DPA reactions in our October 28 client alert.

What Should Educational Institutions Do?

Nonprofit educational institutions should continue to use the EU-approved data transfer mechanisms upon which they are currently relying, but they should be aware that individual DPAs and EU residents can now challenge those data transfers. In addition, if the current negotiations between the U.S. and EU do not reach an appropriate resolution by the end of January 2016, all EU-U.S. data transfers may be called into question.  

For institutions collecting data directly from students and applicants, express, informed consent from the individual remains a valid option for transferring data. But the European Commission has reiterated that consent can only be used "if there is no other ground" and by very limited and overt means. Other than consent, the most viable and easily implemented data transfer mechanism is the EU-approved standard contractual clauses, which many businesses that had previously been Safe Harbor certified are now adopting as an interim measure. Going forward, institutions should review and, if needed, update their privacy and information security policies and practices and ensure that they apply to all transfers of personal information—whether for research purposes, cross-border transfers of human resource data, or exchanges with other institutions or third-party service providers.

What to Expect in the Coming Months

The Art. 29 WP encouraged member states and other European institutions to open discussions with the U.S. to find political, legal, and technical solutions to enable data transfers while respecting the EU position that privacy is a fundamental human right. In particular, the Art. 29 WP sees the potential that intergovernmental agreements could provide stronger guarantees and protections to EU citizens whose data is transferred to the U.S., perhaps in conjunction with a renegotiated Safe Harbor.

Right now, companies are scrambling to find alternatives to Safe Harbor. Although educational institutions are not in the same position, they may be affected by increased scrutiny of all EU-U.S. data transfers by EU member states and individuals. Educational institutions should monitor the EU-U.S. negotiations and, as the January 31, 2016 deadline approaches, be alert to the possibility that a broader category of EU-U.S. data transfers may be declared invalid, or at a minimum, be more heavily scrutinized for adequacy and compliance.