[UPDATE, Oct. 9: Amadeus statement included. An Oct. 12 BCD Travel statement is here.]
Travel and expense management providers don’t expect drastic changes in response to the European Court of Justice’s annulment of a key EU-U.S. data privacy accord. The data will still flow. But they’re attentive to these and similar developments, and thinking about where they may need to stand up new servers.
Invalidated on Tuesday, the Safe Harbor pact for 15 years has enabled participating companies — now more than 4,500, according to the Wall Street Journal — to legally transfer data on European citizens to servers in the United States. European Commission and U.S. negotiators already were working to replace the agreement. It appeared inadequate following revelations in 2013 of private-sector collaboration on U.S. National Security Agency surveillance. The court ruled compliance with the agreement does not adequately protect private information of European citizens on U.S. servers. Now national data privacy regulators in EU states have authority.
This means businesses and other organizations need to evaluate internal employee data going across the Atlantic and potentially update contracts that address privacy based on Safe Harbor.
Safe Harbor isn’t the only framework for legal data sharing. Companies can seek individual consent. Data protection agreements also can incorporate the EU’s model contracts. Microsoft last year included compliance with the models as a standard part of its enterprise cloud services contracts. Salesforce now is working to incorporate the clauses.
Another option is operating under binding corporate rules. American Express Global Business Travel claims it is the only travel management company to do so. “While our BCRs mean that our data operations remain lawful, we are also investing in a data center in the EU to give customers even greater comfort about service, privacy and customer confidentiality,” according to a GBT press official.
Now that checking the Safe Harbor box in agreements covering European users means nothing, providers of travel management services may need to put money and time into new contracts to avoid fines or enforcement orders. Chris Babel, CEO of data privacy management company TRUSTe, told the Wall Street Journal that it may be too expensive for small companies to build their own European facilities or pay companies that already have them.
They must make that tech investment if they want to collect personal client info in Russia. The country’s privacy laws as of Sept. 1 require companies collecting electronic data on nationals to process and store that data within Russia. Moscow said it would be checking for compliance this year and named the “banking sphere, air travel, hotels, mobile operators [and] e-commerce” as focus areas. Air travel booking data apparently is excluded, as is international visa information in some cases. Apple said it’s building a data center in Russia.
Expense management provider Databasics is a TRUSTe client. Its customers wound up taking automated services offline in Russia as a result of the regulations. With much more business in the EU, that’s really not an option.
“There are a number of possible expedients, including contractual changes with affected customers, that can address the court ruling,” according to Databasics CEO Alan Tyson. “We also understand that EU and American negotiators have been working on a Safe Harbor update and that they are now accelerating their efforts. We will do whatever we need to comply with EU privacy law, but we do not see at this point that this is a crisis. Still, we are watching this closely.”
Expense firm Chrome River “generally” includes the EU model clauses in its agreements, meaning the ruling “will have little or no legal impact on our customers,” according to CEO Alan Rich. He said expense management firms already adhere to tough standards, such as the Payment Card Industry Data Security Standard.
Travel data specialist Cornerstone Information Systems is conducting a legal review and working to incorporate the model clauses in its client agreements. Companies like Cornerstone and Grasp Technologies already were considering new data centers within the EU and elsewhere, officials said. A Concur statement suggests the SAP-owned company is thinking about data localization: “As we continue to grow our data processing capabilities around the world, we strive to ensure we are able to meet the requirements of local laws and regulations.”
Radius Travel said it is studying the ruling. Sabre indicated it does “not believe there is any impact to our business.” Travelport noted its use of binding contracts and affirmed that “bookings are being processed with adequate protections for personal data and in compliance with European and national data protection law.” Amadeus said it does not expect a significant impact since its data center and headquarters are based in Europe.
Everyone’s watching closely.
“This ruling does bring a period of uncertainty for travel businesses until the Department of Commerce and the European Commission can agree and put a new framework in place,” according to Cornerstone CEO Mat Orrego. “For the moment, it’s about compliance and contracts and making sure there is consent between the parties as to what is happening” in terms of the frequency and nature of shared data.
“There effectively have been no decisions on what, if anything, U.S. companies need to abide by and we need to wait until we see what those are,” noted Grasp Technologies vice president Dave Lukas.