On October 6, 2015, the European Court of Justice struck down the U.S. Safe Harbor that allowed U.S. enterprises to legally move personal data from the European Union (EU) and the rest of the European Economic Area (EAA) to the U.S. In invalidating the Safe Harbor, the court removed a tool upon which thousands of U.S. enterprises depended to move data about EEA citizens across the Atlantic. The blow was felt especially by technology companies that do business with Europe or need to store European data in the U.S.
Dealing with the loss of the Safe Harbor requires an understanding of the underlying European law, knowledge of the alternative options for compliance and a look at the road ahead for European privacy law.
The Rise and Fall of the Safe Harbor
In 1995, the EU adopted what has become known as the Data Protection Directive. Under EU law, a “directive” requires each EU member state to adopt prescribed national law. The Data Protection Directive required that each member state adopt specified protections; most importantly for U.S. businesses, the Data Protection Directive required law that prohibits the transfer of personal data about citizens of EEA countries outside the EEA unless the same European-style protections follow the personal data wherever it goes.
The Data Protection Directive applies to the “processing” of “personal data.” “Processing” includes just about anything one can do with data, from collecting it to storing, indexing, analyzing and even getting rid of it. “Personal data” is virtually any information about a living human being. The term goes beyond names, addresses and credit card numbers. It can include such things as shoe size, sports team preferences and other information not usually thought of by Americans as subject to legal protection.
U.S. enterprises are usually affected most by the data transfer provisions of the EU’s privacy directive. As commerce becomes more global and networked computing and communications become more ubiquitous, U.S. enterprises need to import, store and use European personal data in the U.S. as a part of their operations. Not counting the express and fully informed consent of the data subject or several very narrow exceptions in the directive (national security, etc.), the Data Protection Directive allows five ways for companies to move European personal data out of an EEA country:
l Move it to another EEA country;
l Move it to a country that the European Commission (the EC) has determined to have a national law that is at least as protective as that required by the Data Protection Directive (currently Andorra, Argentina, Canada [under limited circumstances], the Faeroe Islands, Guernsey, Israel, the Isle of Man, Jersey, New Zealand, Switzerland and Uruguay);
l Move it to a country for which the EC has made a limited determination of adequacy under special programs (like the U.S. Department of Commerce’s Safe Harbor);
l Move it under contractual protections using one of three forms approved by the EC (the so-called “standard contractual clauses,” or “model clauses”); or
l Implement enterprise-wide rules (called “binding corporate rules”) in consultation with several EU data protection authorities (DPAs) that allow transfers within that enterprise.
The EC approved the U.S. Safe Harbor in 2000. The Safe Harbor involved a set of EC-approved privacy principles to which U.S. companies could adhere, self-certify their compliance and be accountable to European data subjects through arbitration and other means. The U.S. Federal Trade Commission enforced failures to comply with the Safe Harbor principles under its authority to regulate “unfair or deceptive acts or practices.” In all, 4,500 U.S. companies signed up over the course of the next 15 years.
The Safe Harbor was, of course, dependent upon continuing to provide an adequate level of protection for European personal data. Edward Snowden’s revelations in 2013 about the National Security Agency’s practices, among other things, raised doubt about whether European data was actually protected in the U.S.
Austrian activist Maximilian Schrems brought suit against Facebook in Ireland, alleging that Facebook had moved his personal data to the U.S. illegally. Facebook depended, in relevant part, on the Safe Harbor to allow the transfers. On October 6, the European Court of Justice ruled that, in light of the Snowden revelations and other factors, the Safe Harbor no longer provides the protections upon which the EC’s 2000 decision was based and struck down the Safe Harbor as a means of transferring European personal data to the U.S.
What Invalidation Means
The immediate result is that transfers of European personal data under the Safe Harbor run afoul of the national law enacted under the EU Privacy Directive. The European court’s decision has no grace period, so many enterprises went to bed covered by the Safe Harbor and woke up to find their transfers of European personal data illegal.
U.S. and EU authorities began work soon after the Schrems decision to create a new U.S. Safe Harbor, commonly referred to as “Safe Harbor 2.0.” Although there have been reports that the parties are close to resolution, there is, as yet, no new Safe Harbor and no solid indication of when it might be approved.
The Article 29 Working Group, an independent advisory group made up of personnel from European DPAs, issued a report on October 16 recognizing the efforts to replace the U.S. Safe Harbor, stating that “[i]f by the end of January 2016, no appropriate solution is found with U.S. authorities ... EU data protection authorities are committed to take all necessary and appropriate actions, which may include coordinated enforcement actions.” Many regard this statement as a soft grace period. That said, the Article 29 Working Party has no actual authority, and any forbearance by DPAs is strictly voluntary.
The bad news is, of course, that 4,500 U.S. companies have suddenly lost a method of compliance with EU privacy law. But the bad news may have a silver lining of good news in that nothing about the Schrems decision provides European DPAs any additional personnel or budget with which to pursue enforcement actions. This is no guarantee of safety, but it seems likely that DPAs will focus efforts on the worst offenders, and the rest of the herd will have some breathing space. The key will be to use such breathing space as is available to get a replacement compliance program in place.
What Next?
In the near term, enterprises can still use standard contractual clauses and binding corporate rules as a means to move European personal data to the U.S. and elsewhere.
The standard contractual clauses are forms of agreement between data importers and exporters. (Europeans refer to them as “clauses,” but they are actually full agreements). The EC has approved three forms of the clauses, one for use between “controllers” (parties who decide how data will be processed) and “processors” (parties who process the data at the direction of a controller) and two for use where both parties are controllers. The clauses can include purely commercial terms that don’t affect the data protection provisions, but otherwise cannot be modified except to fill in the required information. Whatever one’s thoughts about the inability to vary the terms, it makes negotiations very straightforward because the substance is fixed by an EC ruling.
Many enterprises enter into composite agreements that integrate the standard contractual clauses. In this way, each company in the enterprise signs once and has coverage by the standard contractual clauses among all of the constituent companies, whether as a controller or processor and whether as an importer or exporter.
Binding corporate rules are also an option but only for larger enterprises with the resources to put them in place. The process can be long and involved, and it requires working with a lead DPA and consultations with other DPAs. This is to say nothing of the process of putting the rules in place and making them an actual part of the enterprise’s culture and process. Only 81 enterprises have completed binding corporate rules so far, and they are mostly large banking, pharmaceutical and technology (here meaning mostly Internet-related) companies. Additionally, the demise of the Safe Harbor has almost certainly been the tipping point that will have caused a new surge of applicants for the approval process, likely straining the resources of the already busy DPAs.
Note that these compliance processes could technically be subject to the same kind of challenge that invalidated the Safe Harbor. A plaintiff would need to show that these compliance mechanisms failed to provide a level of protection that is adequate by EU standards. No such litigation has yet reached the high court, and most commentators think that it is unlikely, at least in the near term, but it is possible.
The biggest development will be when the new General Data Protection Regulation (GDPR) is enacted in the EU. EU officials have realized that social networking, cloud computing and globalization have raised issues not contemplated by the European Data Protection Directive and have been moving to address those issues. After a lengthy process of drafting and amending proposals that began in 2012, representatives of the Council of Ministers, the European Parliament and the European Commission approved a draft on December 15 that is expected to be the final text, pending ratification by the European Parliament. Once enacted, the GDPR will take effect two years later.
Unlike the European Data Protection Directive, the GDPR will be a regulation, which means that it will not be dependent upon member-state legislation and will instead be its own binding law. This is expected to benefit businesses by providing a one-stop shop for compliance requirements because there will be a single rule across the EEA. In addition to addressing much of the same subject matter as was covered by the European Data Protection Directive, the GDPR will impose additional notice requirements; require businesses to design privacy into their goods, services and software; require businesses to appoint data protection officers; and require rapid reporting of data breaches.
The GDPR continues to make room for compliance mechanisms – like safe harbors, standard contractual clauses and binding corporate rules – so efforts now toward putting these mechanisms in place will likely be rewarded with continued validity once the GDPR takes effect. In any case, the GDPR will not make data protection less demanding; only – one hopes – more intelligible across the 31 countries of the EEA.
In the meantime, those for whom the loss of the Safe Harbor meant the loss of a vital compliance mechanism have work to do.
Strategies for After the Loss of the Safe Harbor
Enterprises that were dependent on the Safe Harbor have several options. Waiting for Safe Harbor 2.0 is risky because there is no guarantee that it will be in place before the Article 29 Working Party’s deadline of January 31, 2016.
In the meantime, although not often discussed as an option, the consent of the data subject goes a long way toward compliance. Obtaining fully informed consent from those data subjects with which a company most often deals might garner some low-hanging fruit.
Beyond consent, many enterprises are implementing standard contractual clauses, both internally among the companies that are a part of the enterprise and in one-off agreements with customers, suppliers and others.
For those for whom binding corporate rules make sense, the loss of the Safe Harbor might be the event that causes them to begin the process. Bear in mind, though, that the approval process can take a year or more, and it is not a near-term solution.
The good news is that the work that went into complying with the Safe Harbor is not wasted. The same privacy program that an enterprise used to implement the Safe Harbor privacy principles goes a long way toward complying with the obligations under the standard contractual clauses and can even be a start on the road to binding corporate rules.
Stephen L. Tupper, Leader of the privacy, data security and e-commerce practice at Dykema. [email protected]
Published January 6, 2016.