Transatlantic Transfers of Personal Data Post-Schrems
MobileIron’s Post-Schrems Approach to Transfer of Personal Data is Consistent with Majority of TRUSTe Respondents
TRUSTe recently published results of a poll of 349 companies that was undertaken in the wake of the ECJ finding in October (in Schrems v Data Protection Commission (C-362/14)) that the current Safe Harbor framework was invalid as an adequate mechanism for the transfer of personal data from the EU to the US. The report provides a snapshot of how companies are now assessing their options for transferring data from the EU to the US. Like most of the respondents, MobileIron has increased its use of Model Contracts Clauses post-Schrems but still continues to comply with the Safe Harbor Framework. And, like most respondents, MobileIron views the post-Schrems environment as one in which companies must maintain a flexible approach to compliance.
Hybrid Approach Favored by Majority of Respondents. Post-Schrems, MobileIron has taken a “hybrid” approach to transfers of personal data from the EU to the US. Under this approach, MobileIron continues to comply with the Safe Harbor framework (re-certifying in December 2015); however, at the request of our customers, we also have entered into data transfer agreements based on the EU Model Contract Clauses. This approach is now taken by 53% of respondents (up from 20%) to the TRUSTe poll.
Safe Harbor 2.0 Still on the Table. Like 78% of the respondents, MobileIron continues to comply with the current Safe Harbor Framework and is prepared to comply with Safe Harbor 2.0 should a new framework be approved by the EU Commission. We recognize that there can be no assurance that approval will occur in a timely manner (certainly by January 31st) or that implementation of Safe Harbor will not be deferred pending inevitable legal challenges. Nevertheless, we remain optimistic that a new framework agreement will be implemented and, in the meantime, we still view the existing framework as a valuable tool for guiding our practice.
But, We Still See Model Clauses as Here to Stay. Like 49% of respondents, MobileIron anticipates that we will need to keep Model Contract Clauses in place with certain customers even if or when Safe Harbor 2.0 is implemented. We expect that these customers will prefer the certainty of a contract to a framework that may be subject to subsequent invalidity--“once bitten, twice shy”. This is somewhat unfortunate in that the Safe Harbor Framework provides for greater uniformity and avoids the need for individual contracting; nevertheless, like many respondents, we realize, that the dynamic that gave rise to the Schrems decision suggests it is prudent to maintain a “Plan B.”
No Need (or Benefit) to Going it Alone. Like 58% of respondents in a similar annual revenue bracket (i.e., $100 million to $500 million), MobileIron relies on a combination of in-house resources and outside counsel/third party certification programs to assess and verify our compliance. In parallel with the rise in customer privacy concerns (especially in a mobile computing environment), we have conducted detailed internal assessments of our data privacy and data security practices and combined these with ongoing advice and counsel from law firms and security experts. Ultimately, compliance must be owned internally and cannot be outsourced; but we recognize that, in a the rapidly evolving and complex area of privacy, there is a lot to be gained by seeking outside help.
Expect More Regulatory Scrutiny. Like 87% of respondents, we expect that there will be greater regulatory scrutiny of data privacy practices under Safe Harbor 2.0. Similarly, like 72% of respondents, we also expect that implementation of Model Contract Clauses will heighten regulatory scrutiny. But one need only look at the FTC’s increasing role in advising (and enforcing) on data privacy and security to realize that this trend had traction long before Schrems. See, for example, FTC’s Start With Security guide to lessons learned from 50 enforcement actions. So, while this result certainly indicates a recognition that heightened regulatory scrutiny is a new reality, it does not necessarily attribute this to the Schrems decision.