Now that Safe Harbor Is Invalid, What Are My Options?
By Stuart Buglass, VP Consulting
The European Court of Justice (ECJ), Europe’s highest court, declared yesterday that the US-EU Safe Harbor data sharing arrangement is invalid. The ruling is truly a landmark decision and has a massive impact on US businesses that transfer the personal data of EU residents under the Safe Harbor regime.
Background: The Basics of the Safe Harbor Agreement
EU law prohibits the transfer of EU data to countries which do not provide the same level of statutory protection as the EU. To date, the EU Commission (the executive body responsible for EU legislation) has only assessed 11 countries as having adequate protection … and the US is not one of them. However, on 26 July 2000, the EU Commission made a concession which permits the transfer of EU data to the US if the receiver is registered in the US Safe Harbor scheme. As my colleague Katie Davies wrote in a brief 2013 piece, “the EU and the US Department of Commerce created Safe Harbor certification so that eligible US companies could meet the EU data protection requirements by adhering to seven principles: notice, choice, onward transfer, security, data integrity, access, and enforcement.”
Why the Safe Harbor Agreement Is No Longer Valid
Following the ECJ’s decision yesterday, the US-EU Safe Harbor concession no longer applies, and EU data held in the US under Safe Harbor is now no longer compliant with EU law.
The ECJ was presiding over a case against Facebook, brought by Max Schrems in Ireland, the location of Facebook’s European headquarters. Schrems is an Austrian data privacy campaigner who launched the case two years ago in response to Edward Snowden’s revelations about the US National Security Agency’s Prism program, including the fact that the program conducted covert surveillance of EU data held in the US. The case focused on the Safe Harbor regime, with Schrems arguing that it provided no protection at all against the surveillance activities of the NSA and was therefore in breach of EU data privacy laws.
As a result of yesterday’s decision in Schrems’ favor, the ECJ have stated that the Irish Data Protection Commissioner must address Facebook’s position and “decide whether ... transfer of the data of Facebook's European subscribers to the United States should be suspended on the ground that that country does not afford an adequate level of protection of personal data.”
With the Safe Harbor agreement now officially invalid, all EU data transferred to the US (including data already in the US) will be considered unlawful unless additional safeguards beyond those outlined in the old Safe Harbor agreement are put in place.
Your Data Transfer Options Post-Safe Harbor
So with Safe Harbor removed, are there any other means of legitimizing a transfer of EU data to the US?
The short answer is yes. EU law will permit a transfer if adequate security measures are put in place. There are a few ways of achieving this.
Firstly, a transfer is permissible if the EU data subject consents to the transfer. This sounds simple enough, but implementing procedures to comply with this requirement can be incredibly cumbersome. The data subject’s consent must be explicit and must apply to each and every transfer, which makes the consent unsuitable for the repeat transfers of data required in an ongoing customer or employment relationship. It’s also important to note that obtaining consent for future data transfers will not address the issue of data already in the US that was obtained under the Safe Harbor agreement and no longer deemed safe under EU law.
Secondly, data can be lawfully transferred to a US-based receiver if the receiver has signed a data transfer agreement, the terms of which must comply with the EU Commission’s Model Clauses. Such an agreement contractually binds the US data receiver to the same EU data privacy standards and liabilities as apply to the EU data controller. It should be said that standards and liabilities for EU data controllers are evolving quickly and are only getting stricter. With the presumed passage of EU Data Protection Regulation next year, EU data controllers will have significant accountability, including strict breach responses and the requirement to provide evidence of existing controls.
Obviously, introducing new contractual undertakings to US multinationals’ existing supply chains won’t be easy. But for organizations that already have EU data in the US, and for smaller organizations, signing an EU-compliant data-transfer agreement is the most realistic way to fill the Safe Harbor vacuum and is preferable to documenting data subject consent for each data transfer.
There is a third option available to multinational organizations, namely Binding Corporate Rules (BCRs). BCRs are a set of internal rules and procedures which ensure that the same standards of protection are applied throughout a global organization. A BCR must be approved by the relevant data protection regulator in the EU. Given that a BCR can only apply to transfers of data within an organization — not to transfers of data to third parties — it has limited scope.
Finally, larger organizations may take a completely different route to compliance. If the data remains in the EU, then the issue of data transfers disappears. Amazon has been a forerunner in this regard, and its EU customers can now choose to have their data stored in either Dublin or Frankfurt. Following the Schrems decision, we suspect many other large US-based players will accelerate their plans to localize data storage in the EU rather than transfer it to the US.
For more information, read Stuart's post on preparing for the EU's General Data Protection Regulation.