Safe Harbor is Dead! A Primer on EU Data Transfer And Why We Should Care
The latter part of 2015 saw social media and legal alerts blowing up about the EU/US Safe Harbor and the EU General Data Protection Regulation (the “GDPR”). Unless one is a privacy professional working with European data, one probably is relatively unfamiliar with the EU/US Safe Harbor and just what is going on. Here is the (incredibly short and pertinent) story (EU data experts are asked to please forgive any errors on my part):
Europe has privacy laws based on fundamental right to privacy for individuals. This right for personal data to be protected is guaranteed as one of the rights protected under Article 8 of the European Convention on Human Rights (ECHR), which guarantees the right to respect for private and family life. The ECHR was created by the Council of Europe, which was born in the aftermath of World War II to bring the European states together in order to promote law, human rights, democracy, and social development.
There were a lot of meetings, documents, and rules passed between then and now; the ones you hear most about are Convention 108 (the adoption of a bunch of regulations: a Convention for the protection of individuals with regard to the automatic processing of information—an internationally binding document) and the Data Privacy Directive (Directive 95/46/EC passed by the European Parliament and the European Council in 1995). This Directive is probably the single most important document in the EU on data protection. See the European member states (now 28 of them) had started passing national laws on data protection. Given that the laws were different, they actually impeded the free flow of data—and therefore commerce between countries. With Directive, they were directed to pass laws that met a uniform standard for the level of data protection. It also applies to the non-EU member states as part of the European Economic Area (Iceland, Liechtenstein, and Norway, “EEA”). The Directive established two categories of entities that handle personal data: controllers and processors. Controllers essentially—either alone or with others—”determines the purposes and means of the processing of personal data” whereas processors do just that, process personal data for controllers.
But here’s the thing—once the member states had one high level standard to transfer personal data, but personal data also flows out of Europe. Both Convention 108 and the Directive address the flow of personal data across borders to recipients who are subject to foreign jurisdiction (meaning outside EEA). The Directive requires personal data can only be transferred to countries outside the EEA when that country guarantees an adequate level of protection. If that foreign jurisdiction cannot guarantee adequate protection, there are several exceptions that can be made, called derogations (see page 48 of this wonderful FAQs document). Derogations include consent of the data subject, public interest grounds, necessary for the performance of the contract, protecting the data subject’s vital interests, and a few others. However, those that transfer data should not try to rely on one of these exceptions. If they are not in a country that has been determined by the European Commission to have adequate data protection laws (and there are only 11), then the entity transferring data physically or electronically must use another mechanism, such as Model Contractual Clauses and Binding Corporate Rules.
Here is where the United States comes in. The United States does not have adequate federal data protection laws, but the United States and EU worked together to create the EU/US Safe Harbor (or Harbour depending on which side of the ocean you are on) mechanism, which was deemed adequate as a foreign jurisdiction in 2000. This is a self-certification program with enforcement by government agencies who have committed to the EC in writing that they will enforce the program on entities subject to their jurisdiction—so far only the US Federal Trade Commission (FTC) and the US Department of Transportation.
Mostly relations were swimming right along—everybody recognizing that the EU had much stronger data protection requirements than the United States, but the Safe Harbor was pretty good at keeping US companies in line.
Then Edward Snowden, a contractor exposed to the world that the US National Security Agency and Federal Bureau of Investigation were engaged in extensive surveillance activities. It seems that data protection relations are being strained, and the United States promises to get tougher in enforcement. In July of 2013, the EC publicly stated there was a need for data protection reform and Germany announced they would not issue any new permissions for data transfers out of Europe, and consider suspending the Safe Harbor altogether. Later in 2013, the EC published its findings after reviewing the Safe Harbor and listed 14 recommendations for change. Coincidentally, the FTC announced two months later that it had settled Safe Harbor claims against 12 companies. Two months after this news, the FTC signed a memorandum of understanding with the United Kingdom’s Information Commissioner’s Office to promote increased cooperation and to share information between the two government authorities.
Meanwhile, it seems that US companies keep hitting the news. Some about data practices, like Google and Facebook, and some with other issues—like tax breaks. Then Max Schrems led a class-action lawsuit against Facebook in Ireland alleging that Facebook breached European privacy law by sending data to the United States in light of the massive government surveillance by the US government. Long story short, the case advanced as cases do and when he lost at one level, he appealed to another. In the end, the European Court of Justice ruled that the EC decision in 2000 that the EU/US Safe Harbor is now invalid essentially because circumstances show that there is no guarantee of data protection against the US government as evidenced by the massive surveillance.
This decision leaves the EU data transfer world in a questionable state. The Article 29 Working Party (an advisory group under the Directive) has stated that “[i]f by the end of January 2016, no appropriate solution is found with the US authorities and depending on the assessment of the transfer tools by the
Working Party, EU data protection authorities are committed to take all necessary and appropriate actions, which may include coordinated enforcement actions.”
This means that US authorities are scrambling for a solution to data transfer, as are US companies and companies that transfer information to the country. The common solution appears to be the model contract clauses, but they are neither commercial friendly nor address processor to processor transfers. In pure black and white, the lack of a practical and simple means to transfer data out of the European Union to the United States could bring a halt to a vast amount of transactions. In practicality, it seems unlikely that a solution would not be found if only a temporary one. The EU data authorities would need to become very active in enforcement with a couple of huge examples. That could happen, and if the United States and impacted companies think that the EU would not do so, they could be in for a big surprise.