Travel
managers worldwide must take immediate action to ensure their European travellers’
personal data is transferred lawfully outside the European Union, the German
travel management association VDR has warned.
VDR issued its advice after the
Court of Justice of the European Union invalidated Privacy Shield, a legal
framework intended to safeguard imports of personal data from the EU to the US
in compliance with Europe’s more stringent standards. The same judgment, issued
on 16 July, also effectively cast doubt on the viability of another data
protection procedure known as standard contractual clauses.
The problem
is a pressing one for corporate travel because the sector is dominated by US-based
companies. “Travel managers should assume passenger name record data linked to
any travel reservation will end up in the US,” said Hans-Ingo Biehl, executive
director for VDR.
The EU and US
introduced Privacy Shield in 2016 to replace Safe Harbor, a framework also
invalidated by the ECJ in 2015 for insufficient robustness. Although Privacy
Shield included more protections than its predecessor, data privacy experts and
indeed VDR warned from the outset it was likely to fail judicial scrutiny for
similar reasons. Even so, 5,300 companies were active signatories to Privacy
Shield when the ECJ invalidated it, including more than a dozen travel
management companies and numerous other travel businesses.
Guidance
issued this week by the European Data Protection Board, responsible for
consistent application of data protection rules by supervisory authorities
within the EU, clarified there is no grace period permitted for ceasing to use
Privacy Shield. “The transfer must be stopped immediately and alternatives must
be examined as to how data processes can be changed over while [the data
remains] in the EU,” VDR has written to its members.
The same ECJ
judgment also required data controllers, which can include travel managers, to
review standard contractual clauses, the most common process used in the corporate
travel industry to protect data exports outside the EU. SCCs – also called
model contractual clauses – are inserted into contracts to guarantee legally
that service providers will treat data compliantly.
According to
the EDPB, data transfers using SCCs, or an SCC alternative deployed by large
multinational corporations known as Binding Corporate Rules, must be reassessed
for whether they offer equivalent protection to the EU’s General Data
Protection Regulation. Since the ECJ ruling also stated there is no equivalent
protection in the US because of lack of redress for data subjects and American
laws permitting mass data surveillance, the validity of SCCs for US-bound
transfers is in doubt.
“If you are
unsure the data is unsafe using SCCs, don’t transfer any more of it,” said
Biehl, who urged travel managers to hold urgent consultations with their TMCs
and online booking tool providers.
“What the
ECJ decision told us is we all need to be accountable and responsible for the
data that emanates from us,” said Samantha Simms, a corporate travel data
protection specialist who is principal consultant and founder of the
Information Collective. “If your TMC has asked you to agree to certain SCCs,
you should be asking them to what extent they are carrying out impact
assessments and how are they going to manage US hosting from now on.”
The EDPB is
assessing what supplementary legal, technical and organisational measures could
be introduced to maintain SCCs and BCRs as legitimate mechanisms for overseeing
data transfer to the US. Its guidance discusses obtaining data subjects’
consent as one answer to the problem – but only for “occasional” use.
“Travel
managers would have to go to travellers and get consent from them that they are
okay with the data transfer,” said Biehl. “That’s a process you don’t want to
have. It’s a lot of bureaucracy. You
would have to liaise with your HR department to ensure that whatever you did
was acceptable. This can only be a solution for the short term to make
individual trips possible. It’s not a process that can be used for regular data
transfer.”
If an
assessment finds no supplementary measures can be relied on as adequate, the
EDPB confirmed companies must be prepared to remove contractual permissions
within their supply chain.
Another
potential solution would be for travel companies to store their data in Europe.
However, this too has its challenges. According to Simms, the Clarifying Lawful
Overseas Use of Data Act of 2018 allows the US government access to US company
data no matter the jurisdiction in which it is held.
Also, Simms
warned, “Commercially this will place US companies operating in the EU in a
very difficult position. Data is more expensive in the EU than other regions.
We will see this reflected in agreements in the travel sector, which will start
to pass some of these costs on to the corporate customer.”
Biehl
believes storage inside the EU would merit a higher price tag. “I think
corporate customers would be ready to pay more if they thought their data was
being treated compliantly,” he said.