GC Focus: Surviving in a World Without Safe Harbor

The situation related to Safe Harbor, the framework that previously enabled transfers of data between the E.U. and U.S., continues to evolve.

As most know by now, a month earlier, on October 6, 2015, the European Court of Justice (ECJ) invalidated the U.S.-E.U. Safe Harbor Framework, which allowed companies to transfer personal data between the two nations. The ruling said the Framework was flawed because it allowed American government authorities to gain routine access to Europeans’ online information. The court based its decision on leaks from Edward J. Snowden, the former contractor for the National Security Agency, which made it clear that American “law and practice” do not protect data transferred against “surveillance by the public authorities,” namely American intelligence agencies.

On November 6, the European Commission issued a formal Communication in response to the ECJ’s ruling, intended to provide an overview of the alternative tools for transatlantic data transfers under the E.U. Data Protection Directive (Directive 95/46/EC). This follows on the E.U. data protection authorities’ Article 29 Working Group’s Statement of October 16 on the implications of the ECJ’s ruling. In the meantime, E.U. and U.S. authorities are negotiating “Safe Harbor 2.0,” expected in early 2016.

The ECJ ruling has potentially serious ramifications for American organizations that collect, process, or store personal data in the E.U., such as employee payroll or benefits data, and its ramifications continue to be evaluated. Huron Legal will present a webinar on November 18, Staying Afloat with Safe Harbor: Five Practical Steps You Can Take Now, providing suggestions on how companies can better manage the private data that they handle in a way that will be globally workable as the situation continues to evolve.

What the Safe Harbor Was

In 1998, the European Commission enacted the E.U. Data Protection Directive, which prohibited the transfer of personal data from E.U. nations to any country that did not meet an “adequate” standard for protecting personal data, defined as information that would allow people to be identified according to factors specific to their physical, physiological, mental, economic, cultural, or social identity. To meet this privacy standard, the receiving country would need to satisfy several criteria, including creating an independent data protection agency and registering databases with that agency. Because the United States has no formal privacy regime and satisfies none of those criteria, it does not satisfy the E.U. law.

As a measure to facilitate trans-Atlantic data transfer, the U.S. Department of Commerce negotiated a voluntary Safe Harbor Framework with the European Commission, which was approved in 2000. Under the Framework, organizations had to self-certify that they adhered to certain requirements, including providing notice about why they collected and used information, offering individuals the choice as to whether to third parties could receive their information, giving individuals access to the information that organizations collect about them, and creating enforcement mechanisms to ensure compliance with the Safe Harbor principles.

The Implications of the Court’s Decision for American Businesses

The ECJ found the Safe Harbor Framework inadequate because U.S. government agencies were not subject to it, those agencies exceeded their need to access the personal data of E.U. citizens, and E.U. citizens have no way to seek redress. The ruling is broad enough to threaten the transfer of any data out of Europe, and it is not appealable.

Now, organizations are again subject to the individual whims of each nation’s data protection authority—at least for the time being. Another agreement has been in the works between the countries (commonly being called “Safe Harbor 2.0”), but until (and if) it is enacted, the individual privacy regulators in each country are tasked with interpreting the Court of Justice’s decision and ruling on the permissibility of data transfers. German data protection authorities have already suggested that other contractual mechanisms for transferring personal data may be invalid.

Recent Developments

The November 6 E.U. Communication specifically confirms that transfers pursuant to Safe Harbor are invalid. It states that E.U. Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCRs), the generally accepted alternatives to Safe Harbor, are currently valid, pending the Article 29 Working Group’s review. The Working Group is reviewing those frameworks and is expected to issue its findings in January 2016.

Meanwhile, negotiations continue regarding Safe Harbor 2.0 and it is expected to be finalized in early 2016. Most privacy professionals say it will likely not be a self-regulatory framework like the prior version, meaning it will certainly involve greater scrutiny of individual organizations’ compliance. Some of its proponents suggest that the changes to the USA Freedom Act in June 2015 and the Judicial Redress Act, which passed the House and is currently in the Senate, will mitigate the spying concerns that were the basis of the ECJ’s invalidation of the original framework. Naysayers do not believe that those changes are sufficient to withstand the EJC’s scrutiny.

One thing is clear: the situation is evolving and will continue to evolve. Organizations will want to review their current practices and commitments and seek legal counsel on the framework that best serves their data transfer needs. They will also want to closely examine how they manage personal information. There are immediate and practical steps that companies can take that will allow them to react quickly to the changing laws in the global privacy space. For advice on some of those actions, see “Righting The Privacy Boat After The E.U. Safe Harbor Ruling,” an article first published on Law360.com by Huron Legal Director David Ray and register for Huron Legal’s November 18 webinar, Staying Afloat with Safe Harbor: Five Practical Steps You Can Take Now.