The Safe Harbor agreement has been overturned. Now what?
Recently, the European Court of Justice (EJC) overturned the Safe Harbor agreement between the European Union (EU) and the United States, leaving many companies questioning what to do. Here’s a quick Q&A to help you understand what’s transpired and what it means to companies who were operating under the Safe Harbor Law.
- What was Safe Harbor?
Safe Harbor was an agreement between the United States and the EU that allowed companies to transfer the personal data of European citizens to the United States. Safe Harbor allowed U.S. companies to self-certify against the EU directive to indicate they’d protect EU citizen data per the Privacy Principles.
- Why is Safe Harbor no longer a valid law?
In October 2015 the EJC responded to a complaint brought on by an Austrian citizen against Facebook. This citizen claimed Facebook violated the EU Data Protection Directive. European courts ruled European citizens’ data was misused by Facebook when the company complied with U.S. intelligence collection. It was found that EU citizens have no real avenues to pursue legal action to gain access to their own data or against federal agencies who misuse data. In the end, the Court ruled that Safe Harbor did not adequately protect European citizens’ personal data by allowing U.S. government interference.
- What should companies do now?
Here are a few ideas:
- Model contracts clauses can be included in contracts where data will be exchanged. These clauses have been provided by the EU and meet their requirements. However, these contract clauses are also vulnerable to legal challenge due to several of the same concerns regarding Safe Harbor.
- Binding Corporate Rules, or “International Code of Practice” rules, can be used for inter-company transfers. These rules must be approved by national data protection authorities. As a requirement for approval, the company must show the rules are binding by having a method to force employees to follow them. Methods suggested by the EU include a sanction policy and mandatory training attendance.
- Companies could opt not to transfer data at all and store all European personal data locally in Europe. This method would be more expensive but could allow companies to avoid transferring EU data. Some American cloud providers have begun to form agreements with European providers to make this option easier.
- How quickly to companies have to comply with the new laws?
Companies will have a three-month grace period before enforcement. After January 2016, “necessary and appropriate action” will be taken, which could include blocking transfers.
Going forward, companies should monitor the ongoing negotiations between the United States and EU. Recently, an EU justice commissioner announced negotiations between the United States and EU had been making progress and that there was an agreement in principle. However, she also noted there were still details to be agreed upon—specifically how the EU can be sure companies are fully complying.