Travel managers worldwide must take immediate action to ensure their
European travelers’ personal data is transferred lawfully outside the European
Union, the German travel management association VDR has warned. VDR issued its
advice after the Court of Justice of the European Union invalidated Privacy
Shield, a legal framework intended to safeguard imports of personal data from
the EU to the U.S. in compliance with Europe’s more stringent standards. The
same judgment, issued on 16 July, also effectively cast doubt on the viability
of another data protection procedure known as standard contractual clauses.
The problem is a pressing one for corporate travel because the
sector is dominated by U.S.-based companies. “Travel managers should assume passenger name record data linked to any
travel reservation will end up in the U.S.,“ said
Hans-Ingo Biehl, executive director for VDR.
The EU and U.S. introduced Privacy Shield in 2016, Privacy Shield to
replace Safe Harbor, a framework also invalidated by the ECJ in 2015 for
insufficient robustness. Although Privacy Shield included more protections than
its predecessor, data privacy experts and indeed VDR warned from the outset it
was likely to fail judicial scrutiny for similar reasons. Even so, 5,300
companies were active signatories to Privacy Shield when the ECJ invalidated
it, including more than a dozen travel management companies and numerous other
travel businesses.
Guidance issued this week by the European Data Protection Board,
responsible for consistent application of data protection rules by supervisory
authorities within the EU, clarified there is no grace period permitted for
ceasing to use Privacy Shield. “The transfer must be stopped immediately and
alternatives must be examined as to how data processes can be changed over
while [the data remains] in the EU,” VDR has written to its members.
The same ECJ judgment also required data controllers, which can
include travel managers, to review standard contractual clauses, the most
common process used in the corporate travel industry to protect data exports
outside the EU. SCCs—also called model contractual clauses—are inserted into
contracts to guarantee legally that service providers will treat data compliantly.
According to the EDPB, data transfers using SCCs, or an SCC
alternative deployed by large multinational corporations known as Binding
Corporate Rules, must be reassessed for whether they offer equivalent
protection to the EU’s General Data Protection Regulation. Since the ECJ ruling
also stated there is no equivalent protection in the US because of lack of
redress for data subjects and American laws permitting mass data surveillance,
the validity of SCCs for U.S.-bound transfers is in doubt.
“If you are unsure the data is unsafe using SCCs, don’t transfer any
more of it,” said Biehl, who urged travel managers to hold urgent consultations
with their TMCs and online booking tool providers.
“What the ECJ decision told us is we all need to be
accountable and responsible for the data that emanates from us,” said Samantha Simms, a corporate travel data protection specialist who is
principal consultant and founder of the Information Collective. “If your TMC has asked
you to agree to certain SCCs, you should be asking them to what extent they are
carrying out impact assessments and how are they going to manage U.S. hosting
from now on.”
The EDPB is assessing what supplementary legal, technical and
organizational measures could be introduced to maintain SCCs and BCRs as
legitimate mechanisms for overseeing data transfer to the U.S. Its guidance
discusses obtaining data subjects’ consent as one answer to the problem—but
only for “occasional” use.
“Travel managers would have to go to travellers
and get consent from them that they are okay with the data transfer,” said
Biehl. “That’s a process you don’t want to have. It’s a lot of
bureaucracy. You would have to liaise
with your HR department to ensure that whatever you did was acceptable. This
can only be a solution for the short term to make individual trips possible.
It’s not a process that can be used for regular data transfer.”
If an assessment finds no
supplementary measures can be relied on as adequate, the EDPB confirmed companies
must be prepared to remove contractual permissions within their supply chain.
Another potential solution would be for travel companies to store
their data in Europe. However, this too has its challenges. According to Simms,
the Clarifying Lawful Overseas Use of Data Act of 2018 allows the US government
access to U.S. company data no matter the jurisdiction in which it is held.
Also, Simms warned, “Commercially this will
place US companies operating in the EU in a very difficult position. Data is
more expensive in the EU than other regions. We will see this reflected in
agreements in the travel sector, which will start to pass some of these costs
on to the corporate customer.”
Biehl believes storage inside the EU would merit a higher
price tag. “I think corporate customers would be ready to
pay more if they thought their data was being treated compliantly,” he said.