A sense of humour often helps – especially when it’s serious …
Data Export and International Business (again)
The core principle of Safe Harbor was that data about EU citizens, once exported to the USA, would be handled according to US business practices and laws that ensured a level of protection “essentially equivalent” to that provided by EU law.
Schrems pointed out THE NAKED TRUTH: that mass surveillance by the NSA invalidates the principle of “essentially equivalent protection”. The CJEU had no option but to confirm it. In its review of the draft text of Privacy Shield, WP29 simply repeated that fact.
International business needs a working solution
Given the definitions of PII, the only safe assumption for marketers in international business is that all customer data should be treated as PII.
Proactive marketing is the precursor for international business. Both require a corresponding flow of data to function effectively. In practice, those data flows inevitably include Personally Identifiable Information. (May I send you our catalogue? To which address should we deliver?)
International business needs a self-certification method for data export. Why?
Well, one answer is because the current alternatives are conceptually incomplete and do not match the realities of international business.
Take for example the relationship between a manufacturer/exporter and their foreign distributors. The two organisations act together to identify and sell to Customers (joint marketing, key account management prior to contract signing).
- Binding Corporate Rules are intended for ‘intra-group transfers’ – they do not cover legitimate business partnerships between organisations that are not in the same group.
- Standard Contract Clauses are designed to cover the relationship between a Data Controller and its contracted Processor: they don’t fit so well when it comes to handling the relationship between equal parties – such as between Manufacturer/Exporter and foreign Channel Partner.
Let’s say it again: International business needs a self-certification method for data export.
Why? Because US-EU trade was worth $US 694 billion (2014 figures).
If all the trading companies that used to use Safe Harbor – the ones currently without BCRs or SCCs, the ones waiting for Privacy Shield – actually applied under Article 46 (3) for “authorisation from the competent supervisory authority” for their data export processes, the system would be clogged up within a matter of days.
So where is Privacy Shield when we need it?
Conspicuous by its absence.
But fear not: for customer data, there’s always Article 49 (a) – Consent.
“the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards”
International marketers can export data by the ton using that one. Here’s how:
The (online) data collection forms have a checkbox for data export approval and a timestamp, verified by a documented double opt-in process for provability in court.
Now add a link on the permission collection form to the Privacy Notice that clearly tells data subjects of their rights:
“XYZ Corp takes your privacy seriously … due to the international nature of our business … your personal data … provided voluntarily by yourself … necessary for implementing pre-contractual and contractual measures … flows freely within our group of companies and to our authorised business partners and distributors only …”
Just to make the risks totally clear, how about paraphrasing the wording of the Schrems Press Release?
“If you’re an EU citizen, please note that this processing will probably include export of your data to the USA.
Please note that the CJEU has determined that the level of personal data protection offered in the USA, under US law, is not equivalent to that in the EU.
Whilst we at XYZ Corp have high international privacy standards, we cannot influence the ‘national security, public interest, and law enforcement requirements of the United States’.
It is possible that, while in transit, your data may be ‘accessed, rectified or erased’ without your or our knowledge and with ‘no means of administrative or judicial redress’.
If you can accept this, please tick the box and click the button labelled “Permission Granted”.
It matches the facts.
It might cover the gap until Privacy Shield 2 or some other self-certification method is agreed.
But naming and shaming never was a very elegant strategy.
The PR department will probably shudder at the mere thought of it.
And yet – who knows? – perhaps the customers and the public will appreciate some honesty.
Better still would be a renewed attempt to restore some dignity to the situation as swiftly possible.
Where is Privacy Shield?
Like the Emperor, international business is at risk of catching a chill.