CAP insights

Business Travel and the EU-US Privacy Shield

27 August 2020

The transmission of personal data between EU member countries and the United States is governed by the EU-US Privacy Shield, an agreement reached in 2015 between the European Commission and the US Government which allows EU businesses to freely transfer personal data to the US.

On 16 July, the European Court of Justice (ECJ) ruled that the Privacy Shield is invalid, on the basis that the privacy rights of EU citizens are not adequately protected if their data is transferred to the US, due to the level of oversight provided to US intelligence and national security agencies - making the transfer of data from the EU to the US technically illegal.

The European Relocation Association (EuRA) and their strategic legal consultant Gordon Kerr have provided an excellent briefing and regular updates on this significant change to data protection from a global mobility perspective: the Privacy Shield was the mechanism used by tech giants including Amazon, Google and Microsoft to conduct transatlantic data transfers, and within the global mobility sector was used by US-based relocation management companies (RMC’s) to allow assignees personal data from the EU to be held on servers in the United States.

My experience in global mobility, working with large RMC’s, was that prior to the introduction of the Privacy Shield, assignees were required to sign a specific waiver enabling their personal data to be transferred to the United States – and effectively provided to the security and intelligence agencies for review – and not all were happy to agree, for a variety of reasons.

Since the ECJ verdict, RMC’s which have relied on Privacy Shield accreditation to transfer data to the US have been rushing to put into place alternative contracts with their clients and suppliers which incorporate “EU Standard Contractual Clauses” to provide personal data with the same level of protection afforded by the GDPR.

From the perspective of extended-stay corporate/business travellers, who are not booking their stay through an RMC, this issue remains relevant. We assume that there is a huge amount of activity going on behind the scenes to ensure this issue is resolved for extended stay business travellers departing the EU.

While we understand from the EuRA updates that discussions are being held to try and agree a revised form of Privacy Shield to satisfy the ECJ, the current heightened geo-political and trade pressures mean early resolution is not guaranteed.

In the interim, Corporate Clients with current extended stay business travellers, that have direct relationships with US-headquartered operators/agents (depending on where their data is stored), should have a solution in place, albeit it potentially temporary, for this issue. This is a high-priority agenda item that will avoid breaching EU data protection law, and impacting the security of personal data for your extended stay business traveller.

For the full EuRA briefing, watch here:

EuRA Privacy Shield Briefing

Back To Blog