EU court judgement on data protection
The Schrems 2 case has been in the technology news of late and data protection and privacy in general never seems to be far from the headlines these days. Rightly so, personal or sensitive data and the security in which it is dealt with is a serious issue and every multinational company has an obligation and responsibility to safeguard customer data in line with the highest industry standards.
Schrems 2 is a court judgment relating to the protections around data controllers transferring data into and out of the EU countries. On July 16, 2020, the Court of Justice of the European Union issued a landmark judgment stating that the Standard Contractual Clauses (the “SCCs”) issued by the European Commission for the transfer of personal data to data processors established outside of the EU fail to guarantee that European citizens’ data sent to the US is protected to the level required by the EU.
This means that the current process of transferring personal data from inside the European Union over to the United States does not align with European law. In response, U.S. government departments have begun discussions with the European Commission around enhancing the EU-U.S. Privacy Shield framework so that it complies with the recent judgement.
Business implications
Needless to say, this has far reaching implications for every multinational company that gathers and holds data on European citizens and also has a process to transfer this data outside of Europe and across to the US. The concern is that current SCCs are not sufficient to ensure an adequate level of protection when it comes to EU data mainly because the data protection laws currently in operation in the US do not explicitly limit interference with an individual’s right to protection of personal data in the same way as EU data protection law. This brings into question the strength of the eu-us privacy shield and its ongoing suitability when it comes to eu data protection legislation.
The concern is understandable as there is a possibility that a person's data could be accessed or viewed by a United States government agency after a data transfer has taken place. The privacy rights guaranteed under EU law prior to the data transfer may no longer apply post the data transfer. Understandably, many people would object to such a scenario. Regulators in specific EU nations may choose to introduce legislation that could prevent the transfer of personal data from the European Union to the US. The implications of such legislation are stark both for European businesses looking to reach customers in the US and also, US owned businesses operating out of European capital cities.
What does this mean for multinational companies operating out of European bases but looking to do business in the US market? It likely means that they will have to undertake more proactive measures to ensure their data security obligations are being adhered to. Customers have data protection rights under EU law, and multinationals must now evaluate if these rights can be upheld in the event that any personal data is moved from a European location to the US market. It is a question of whether or not the entity to which they are transporting the data has the appropriate level of protection in place when it comes to handling customer data. If an investigation reveals that it does not, then multinational companies may need consider what additional safeguards can be introduced to increase any existing level of data protection.
Data transfers
It may take years for the full implications of the European court judgment to manifest as legislative procedure but it would also be prudent and proactive for many companies who intend to transfer customer data outside of the European Union, to review policies and procedures in relation to their data protection GDPR and other binding corporate rules. Schrems 2 is something to keep a vigilant eye on and multinational companies need to ensure that they receive regular updates from in-house legal counsel ( Or approach an outside subject matter specialist) on this important subject- especially if they have plans to transfer data from a European location to the United States.
If all of this points to a trend towards data localization, the business impact would be significant. It is likely that major US located businesses would lobby for improved data protection legislation between the US and EU in an effort to resolve this.
Payslip approach to Schrems ii
Payslip take data security very seriously and prioritize all internal procedures around the security of customer data transfers. Payslip is a technology partner, and in our business model, the global employer remains the data controller -user access rights and authorizations are controlled by them.
This means that they can provide access to the Personally identifiable information (PII) of an EU citizen to a person not located in the EU.
The responsibility for who is given access to PII lies with the employer. In many cases, the employer permits access to EU payrolls setup on Payslip only to employees based in Europe so non-EU data access is not an issue.
Should an employer grant access rights to EU data to a US based user, this would constitute territorial reach. There may be legislative basis for the employer to grant access to the data- to meet their legal obligation to deduct withholding tax, remit and file returns to in-country agencies, file accounting reports to be legally compliant and provide their employees with a statutory payslips.
If these obligations can only be met by granting access to non-EU based users, then there is an obligation on the part of the employer to prepare and clarify its data protection policy and internal consent / communication with the data subject about the management / payroll person structure
Paylsip continues to have in depth conversations with our legal counsel and we fully acknowledge the importance of Schrems II and its evolving nature. Our technology and data are hosted and maintained within the EU and our information security technology infrastructure is ISO27001:2013 certified.
Our position remains unchanged in that we provide technology to the employers, who, in their role as data controllers, are responsible for policy and implementation decisions on who in their organization will be authorized to engage with PII data as part of their payroll, HR, finance or other related roles.
Based on those decisions, global employers will set up users on our platform and choose what country/payroll/payrun/employee the user has access to. Should a client have US based individuals involved in EU payrolls processed on our platform, they should take steps to ensure they have robust legislative basis for processing this data.
Paylsip will continue to engage with our InfoSec, Data Protection and Legal Counsel on all matters relating to Schrems 2 and any subsequent court judgments.