November 19, 2015
The Court of Justice of the European Union (CJEU), the EU’s highest court, ruled the EU-US Safe Harbor Framework invalid on October 6, 2015 based on the rationale that the US government’s surveillance powers violate EU citizens’ fundamental right of privacy. The Safe Harbor program, in place for fifteen years, had allowed European companies to transfer data to the US, despite the fact that US data protection law did not provide the same standard of privacy as that afforded by EU law.
Companies operating in member states of the EU are generally prohibited from transferring data outside the EU unless the destination jurisdiction affords a similar level of data privacy and protection. The US’s data protection framework, or lack thereof, does not meet this standard. This is where the Safe Harbor agreement previously had stepped in with a solution: the agreement stated that if a US company was Safe Harbor certified, that is, that it adhered to certain privacy principles going above and beyond the US law, then an exception could be made and data transferred from the EU. It effectively provided a bridge between the two regions' disproportionate data protection requirements.
That bridge has now been burned, so to speak. The ruling has resulted in a lot of uncertainty, as there is no clear, one-size-fits-all alternative for companies doing cross-border business in these two regions. The EU’s Article 29 Data Protection Working Party, made up by authorities from each member state, has indicated there will be a grace period until the end of January 2016, at which time its members will consider beginning enforcement actions. The consensus of both the business community and government officials is that Safe Harbor 2.0 must be reached by then.
Otherwise, if US and EU officials can’t agree on an updated Safe Harbor agreement that addresses the EU’s privacy concerns, companies would need to consider alternative bases for data transfers that are time-intensive, such as adopting Binding Corporate Rules, in the case of intra-company transfers, that must first be approved by the member state’s Data Protection Authority (DPA) or, for external transfers, including model clauses that have been pre-approved by the European Commission in contracts, or not always workable, such as obtaining the data subject’s consent or anonymizing data prior to transfer.
The lack of a Safe Harbor agreement could have implications for due diligence efforts by US companies doing business in Europe, as the transfer of data used to vet potential business partners might violate EU law. Consent, an exemption under EU data privacy law, would be the most streamlined alternative, but it poses problems of its own when it comes to obtaining consent in an employment context. For consent to be valid, it must be freely given without coercion and, in the case where an employer is asking its employees to provide consent to complete the due diligence process, those employees may have no real choice. Another alternative, as mentioned above, would be anonymizing the data prior to transfer, whereby the company could still transfer the desired information without revealing any personal information such as names or employee identification numbers that could be tracked back to an individual. Although this might work in certain situations, it would not be an all-encompassing solution for due diligence efforts that often require specific, identifiable information. The best solution may be use of model clauses, but this presents a heavy administration burden as a company would need to have clauses in place with each entity from which it wishes to transfer data.
Thankfully, US and EU officials appear to be making progress in rebuilding the Safe Harbor Framework. Earlier this week, the European Union's Commissioner for Justice announced confidence that officials would meet the January deadline for a new agreement. This is welcome news for US companies doing business in Europe, as the way forward without a new Safe Harbor agreement is murky at best.
For more on this topic, please see the following resources:
Judgment of the Court, Court of Justice of the European Union (6 October 2015)
Should the U.S. Adopt European-Style Data-Privacy Protections?
EU Justice Chief Vera Jourova Speaks on Negotiating New Safe Harbor Pact
Click here to subscribe to TRACE Trends: A Compliance Conversation and receive email notifications as new posts are published.