The EU-U.S. Safe Harbor Framework (“Safe Harbor”) has provided companies on both sides of the Atlantic an efficient means to transfer personal information to and from the EU and the U.S. Recently, however, the Safe Harbor has come under attack. EU officials have opined that modern U.S. policy has eroded protections afforded under the Safe Harbor, resulting in the Safe Harbor no longer offering “adequate” protection as required by the EU Data Protection Directive 95/46/EC (“EU Directive”). Most recently, and perhaps the most concerning, is the opinion from Advocate General Yves Bot of the European Court of Justice (“ECJ”), whereby Bot recommended the Safe Harbor be declared invalid.
Bot’s opinion cites recent U.S. policy as a primary concern for the ongoing validity of the Safe Harbor. Of note in Bot’s opinion are the revelations by Edward Snowden, which brought light to the mass surveillance practices of the NSA. Bot seemingly alludes to these practices, stating that “surveillance carried out by the United States intelligence services” interferes with the EU’s fundamental right to privacy of its citizens. Although concerning to the future of the Safe Harbor, Bot’s opinion is just that, an opinion. The ECJ has yet to formally adopt Bot’s opinion, but a decision by the ECJ adopting Bot’s opinion may create havoc to businesses, at least in the short-term. The ECJ is expected to rule on the matter this week.
Would the end of the Safe Harbor spell “Doom” for EU-U.S. Business?
The Safe Harbor is arguably the most popular choice among U.S. businesses dealing with the transfer of personal information to and from the EU. This is partly due to its relatively simple self-certification process and broad applicability. So what happens if the EU declares the Safe Harbor invalid? Are there any alternatives to the Safe Harbor? Thankfully, yes.
First off, the Safe Harbor is only available to businesses that fall under the regulation of the Federal Trade Commission (FTC) or the Department of Transportation (DOT). This means that financial institutions, for example, are not eligible to conduct business under the Safe Harbor and would not be directly affected by an invalid ruling from the ECJ.
For those businesses currently operating under the Safe Harbor, alternatives already exist. These alternatives are separate from the Safe Harbor and would not be impacted by an invalid declaration from the ECJ. These alternatives include:
Binding Corporate Rules (“BCRs”); and
Common Safe Harbor Alternatives
Model contracts are those contracts containing clauses approved by the EU and the Article 29 Working Party (a collection of data protection authorities that provide guidance on data protection issues within the EU). The model contract clauses contain data protection commitments and liability requirements that have been approved for use by businesses operating in countries that do not satisfy the adequacy standards defined under the EU Directive. A model contract would be required between each entity transferring personal data, making this option more burdensome for companies dealing with many different transfer counterparts.
BCRs are legally binding corporate rules adopted by a company. BCRs are typically used by companies operating in multiple jurisdictions and must be approved by the data protection authorities of the different jurisdictions in which the company operates. As a result of the approval process required of each data protection authority, implementing BCRs can be a slow process relative to other methods.
Individual consent is another common alternative to Safe Harbor. Generally, if an individual consents to their personal data being transferred outside of the EU, that consent is sufficient. Consent, however, may pose some issues when dealing with certain types of information, such as human resources data. Therefore, the use of consent should be evaluated on a case-by-case basis.
Bot’s opinion raises concerns regarding U.S. policy that were not known at the time the Safe Harbor was originally implemented. The ECJ will not ignore Bot’s opinion and has a history of not shying away from big decisions, just look to its recent “right to be forgotten” ruling. Prudent businesses may wish to consider and discuss alternative or supplementary compliance methods in the event the ECJ does declare the Safe Harbor invalid. Spencer Fane has experience counseling clients with Safe Harbor matters and can assist businesses in evaluating what alternative methods are best for their individual needs.
Update: On October 6, the ECJ decided that the Safe Harbor no longer offers the protection required by the EU Directive and declared the Safe Harbor invalid (See the decision HERE). This decision means that the time is now to begin evaluating alternative means to handle the transfer of personal data to and from the EU. As noted above, Spencer Fane can assist you with evaluating these alternatives and helping you choose the method that best fits your individual needs.
This blog post was drafted by Jonathan Gray. He is an associate in Spencer Fane’s Denver, CO office.