The US Bids Farewell to the Comforts of the Safe Harbor
Many companies have facilitated the transfer of personal information from the European Union and the European Economic Area to the United States by complying with the US–EU (and/or US-Swiss) Safe Harbor Framework run by the US Department of Commerce. The program has been in effect since the year 2000 and has served as a means to comply with the EU data protection requirements and permit trans-Atlantic data transfer. However, as of October 6, 2015, the framework is invalid.
What’s the News?
On October 6, 2015, the European Court of Justice, Europe’s top court (think: Supreme Court of the United States), ruled that Safe Harbor is invalid. The case stemmed from a revelation made by Edward Snowden, spurring an Austrian citizen to question the adequacy of Facebook’s data protection given Facebook’s cooperation with the National Security Administration’s surveillance program. Notably, the complaint alleged that there was no way for Facebook to comply with EU data protection laws given the massive surveillance that takes place in the US. After a lower authority refused to hear the complaint, citing that it was bound by the Safe Harbor agreement, the ECJ now insists that such surveillance be investigated. According to the ECJ, permitting this type of US government oversight of European consumer data is impermissible. Further, given the inadequate protection provided to the personal data of European citizens under Safe Harbor, the ECJ determined that the program is invalid. You may recall our earlier update regarding this case, as previously reported here.
What Is (Was) Safe Harbor?
The Safe Harbor framework took effect in 2000 to give businesses the ability to share data between the US and the EU. Under the EU Data Directive, the privacy law of the European Union, European consumers’ personal data, which is broadly defined to include many categories of information that may be reasonably linked to an identifiable individual, may not be transferred without providing certain assurances and complying with certain requirements. Under the Safe Harbor framework, US entities could “self-certify” that their data protection practices match the more stringent EU regulations via the Safe Harbor framework. This certification allowed personal data from EU citizens to flow legally across the Atlantic to the US.
So, What Now?
Given the recent invalidation of the Safe Harbor framework, companies are faced with numerous questions regarding compliance with the recent decision and methods to continue sharing data amongst multinational entities. Based upon our experience and communications with members of the EU data protection community--including unofficial guidance from several countries’ Data Protection Authorities (DPAs), there are a few things to keep in mind:
- Stay vigilant! We will continue to provide updates to our clients and consider it of extreme importance to be mindful of the decisions made by the various country-specific DPAs, the national entities tasked with the responsibility of enforcing data protection laws in each country. The DPAs sometimes take divergent approaches to major privacy issues and it is important to not only be responsive to requests from DPAs, but to also take note of any official guidance provided.
- Start thinking! While the ECJ provided no grace period and the decision, therefore, had immediate effect, businesses should not make any decisions hastily. Specifically, all businesses should be careful to analyze their individual practices and determine reasonable alternatives. We note that alternatives such as standard contractual clauses and binding corporate rules, methods previously approved for transfer of data from the EU, are currently still valid. That said, these methods have been called into question and are likely to face the same scrutiny as the Safe Harbor framework. Protection under these methods may, therefore, be short lived solutions to this issue.
- Be ready for questions from your clients. News of this decision caused international panic and businesses will receive questions regarding their data protection practices. These questions may come from consumers, but they may also come from international regulators as the US works to find new solutions to trans-Atlantic data transfer issues.
- Review relationships. It is important to check where Safe Harbor is built into any agreements (including promises made in online privacy policies) and to discuss how best to proceed moving forward. Both business-to-consumer and business-to-business relationships should be evaluated.
- Related Practices