Since the revelation of the NSA’s mass e-surveillance program in June, and in conjunction with the progress of the new General Data Protection Regulation (GDPR) in Brussels, European institutions have been actively reconsidering the terms on which personal data is permitted to cross European borders. One proposal, which has raised a ripple effect of concern through the industry, includes suspension of the U.S.-EU Safe Harbor framework and all data flow under it. This move could potentially leave thousands of businesses on both sides of the ocean in the lurch.
What Is the Safe Harbor?
The Safe Harbor framework is a compromise agreement between the European Union and the U.S. Department of Commerce (DOC) intended to facilitate data transfers from the EU to the U.S. The EU’s Data Protection Directive (the European Directive) prohibits the transfer of personal data from the European Economic Area (EEA) to countries that do not meet the EU’s privacy protection standards, also known as the “adequacy” requirement. Although U.S. privacy laws have not been deemed “adequate” by the EU (in fact, only a handful of countries’ laws have), cross-Atlantic data flow underlies most business transactions between the world’s two largest trading partners; thus, the U.S. and EU governments devised the Safe Harbor arrangement to facilitate a streamlined process for U.S.-EU data flows.
The Safe Harbor program is a voluntary process overseen by the DOC and open to businesses subject to either Federal Trade Commission (FTC) or Department of Transportation jurisdiction. Participating businesses self-certify on an annual basis their compliance with seven privacy principles listed on a website maintained by the DOC, which essentially mirror the European Directive. Businesses that fail to live up to these public promises become subject to FTC enforcement under the “unfair or deceptive” trade practices clause in Section 5 of the FTC Act. In fact, the FTC has brought enforcement actions against and reached consent decrees with 10 companies, including household names such as Google and Facebook, for violation of their Safe Harbor promises.
Approximately 3,000 U.S. businesses are currently enrolled in the U.S.-EU Safe Harbor program. However, thousands more on both sides of the Atlantic rely on the promises of “Safe Harborites,” including some of the largest multinational service providers in the world, to facilitate data flows to business partners and service providers in the U.S. Tens of millions of Europeans have their personal data transferred through the Safe Harbor framework every day.
Challenges to the Safe Harbor
Although the EU had already seen a strong push towards increasing data privacy protections, news of the NSA’s mass e-surveillance program has incited further criticism of the current trans-Atlantic privacy framework. The European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE) has recently announced that it will “call on the Commission to suspend the Safe Harbor agreement, pending a full review on whether the U.S. companies can still comply with it.”
While this announcement has gathered significant attention in both the U.S. and EU, it is not the first such challenge to Safe Harbor. Indeed, last July the Conference of German Data Protection Commissioners, at both the state and federal level, announced that it was considering halting Safe Harbor-approved data transfers even under the current framework. Although the Safe Harbor, as a U.S.-EU treaty, cannot be suspended by any one member state, a local DPA may refuse to authorize a transfer under it if it determines that, notwithstanding the Safe Harbor, there is a substantial likelihood that promises of adequate data protections are not being kept.
Beyond the Safe Harbor
What would the world look like without the Safe Harbor? Even without the Safe Harbor, alternative avenues would exist for U.S. businesses to receive data transfers from the EEA. U.S. businesses ineligible for Safe Harbor, as well as businesses in other countries that have not been deemed “adequate” (e.g., Australia, Russia and Japan), already frequently utilize these mechanisms, which are available under Article 25 of the European Directive. These alternatives would continue to exist under the GDPR, with some mechanisms, namely binding corporate rules, likely gaining more traction. However, the significant cost and effort needed to ensure compliance through these substitutes is what inspired the creation of the Safe Harbor in the first place, and those costs have not abated in the intervening years.
Commission adequacy findings: The European Commission has previously approved a small list of nations’ data protection laws as “adequate.” Consequently, commercial data transfers from the EEA to those countries will be unaffected by the Safe Harbor decision. The approved countries are: Andorra, Argentina, Australia, Canada (only organizations subject to the Personal Information Protection and Electronic Documents Act (PIPEDA)), Switzerland, Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, and Uruguay.
DPA authorization: A national DPA may also authorize data transfers on a case-by-case basis if it determines that adequate privacy and security safeguards exist to protect EU citizens’ privacy rights.
Standard Contract Clauses: Businesses can utilize one of three sets of standard contractual clauses (SCCs), which codify key privacy principles and have been pre-approved by the European Commission to sanction data flows. SCC Sets I and II apply to transfers from an EEA data controller to a non-EEA data controller; while another model can be used to authorize transfers from an EEA data controller to a data processor in a third country. In all cases, the SCCs must be copied verbatim and strictly adhered to. Additionally, some member states require that such contracts be deposited or presented for review as a formality (although such added restrictions would be abolished under the GDPR passed yesterday by the LIBE committee). Businesses may also rely on custom-made contracts, or revise an SCC term, but those must be individually approved by national DPAs.
Binding Corporate Rules: Another option is adopting binding corporate rules (BCRs) for the transfer of personal data across EU borders within a multinational corporation. These codes of conduct effectively constitute full-blown privacy programs, and therefore fit large global organizations with the budget and clout to create and enforce them. The EC stated clearly that BCRs protect intra-group transfers of “closely-knit, highly hierarchically structured multinational companies.” BCRs must also incorporate additional procedural principles, such as audits, complaint processes, transparency requirements, a duty to cooperate with DPAs and certain liability and jurisdiction rules. The current draft of the GDPR would expand the role of BCR as a data transfer mechanism, also explicitly recognizing BCR for data processors.
BCRs must be both binding and legally enforceable, taking into account the legal systems of each country where they may be applied. At a minimum, “binding” means that any covered corporate group and all of its employees are compelled to obey the rules in practice; “legally enforceable” means that data subjects must become third-party beneficiaries, through operation of law or contract. All BCRs must be submitted for approval to the DPA in each member state from which data would be transferred, although a process for mutual recognition is available.
Derogations: Finally, data transfers are permissible under six exceptional situations, enumerated in Article 26(1) of the Directive. The most popular of these conditions is acquiring the “unambiguous consent” of the data subject. However, U.S. businesses must be attentive to the EU’s differing vision of consent, which must be a freely given, specific, informed and unambiguous indication of wishes. In the employment context in particular, consent is viewed with disdain by European regulators given the inherent imbalance of power between employer and employee. The GDPR could further limit consent as a data transfer mechanism, requiring opt-in in all cases and requiring a company to inform individuals of the risk of the transfer.
Other permissible derogations include when a transfer is necessary for the performance of a certain contract; is necessary on important public interest grounds or to protect the data subject’s vital interests; or when made from a public register. Note, though, that these derogations are construed narrowly and subject to strict a “necessity test.” As such, they are not well-suited to authorize wholesale transfers of data across borders.
Businesses considering one of these alternative adequacy schemes should pay attention to their interaction with other EU regulatory requirements. In particular, the transfer of HR data outside of the EU may implicate local labor laws (e.g., works council authorization) in addition to data protection principles. Similarly, each adequacy mechanism contains different rules for conducting onward transfers of data, and these should be examined in their practical contexts.
In a world without the Safe Harbor, active data flows between the U.S. and EU would remain achievable. However, each of the alternative routes to a showing of adequacy would be far more time- and resource-consuming and may involve complicated review and approval processes on a case-by-case basis. The regulatory burden of enforcing each of these alternatives would also fall to European DPAs, rather than U.S. agencies. In addition, far from solving the government access problem, which provided the impetus for reassessing the protections provided by the Safe Harbor, BCR, SCC and other derogations would run up against the newly proposed language in Article 43a of the GDPR, which forbids companies from complying with governmental requests for personal data unless expressly approved by an EU DPA or pursuant to an inter-government agreement.
Furthermore, both the Safe Harbor and alternative adequacy mechanisms are facing a significant overhaul in the near future through the implementation of the GDPR. Christopher Kuner’s review of the proposed regulation and a follow up piece by Cedric Burton, Kuner and Anna Pateraki on the position of the EU Parliament examine in detail the potential legal and procedural changes likely to be found in the new regulation, including limiting and coordinating DPAs’ authorization powers and introducing more flexibility to BCR liability. As the GDPR inches toward a final draft, more details about its implementation will emerge, including which regulatory body will take over the approval process for international data transfers.
Despite the intensifying rhetoric surrounding Safe Harbor, the suspension or modification of the current framework, if it occurs, would likely not take effect for a couple of years. Officials on both sides are sensitive to the compliance challenges faced by affected businesses, and would likely provide for a sufficient transition period if the Safe Harbor is significantly altered. That said, suspension or modification of the Safe Harbor framework would have a significant impact on businesses in both the U.S. and EU.