The European Court of Justice (ECJ) recently ruled that the US Safe Harbor agreement, which allowed the safe transfer of European citizens’ data to US companies, is no longer valid, placing many multinationals in murky water.
The 15-year-old data transfer agreement between the EU and the US allowed multinational companies such as Google, Microsoft and Facebook to store European citizen’s data in the US, so long as the companies agreed to comply with data protection laws.
The abolishment of the agreement comes after the ECJ ruled that the US does not have adequate data protection laws and the Safe Harbor scheme didn’t protect consumers in the wake of the Snowden revelations.
What is the ‘Safe Harbor’ agreement?
Back in 2000, the Safe Harbor agreement was created to find a practical means to deal with data transfer. The scheme allowed companies to self-certify that they would protect EU citizens’ data when transferred to, and stored within, US data centres. This made the Safe Harbor scheme a sort of one-stop-shop, allowing for the export of personal data without the need for consent, speeding up processes and significantly reducing the amount of paperwork required.
Currently there are over 5,000 US companies registered on the program. The courts have not provided any transitional period for companies to adapt and, as a result, these businesses have been left non-compliant with EU data protection rules. Businesses that fall into this area include EU-based multinationals transferring data between group companies and their US parents, and companies based in the US with EU customers.
Implications for your business
Until the EU and US agree a successor program that is compatible with EU data protection law, a large number of companies are left in the lurch.
The Information Commissioner’s Office in the UK (“ICO”) has released a statement following the ruling. They noted: “The judgment means that businesses that use Safe Harbor will need to review how they ensure that data transferred to the US is transferred in-line with the law.
“We recognise that it will take some time for them to do so…. We will now be considering the judgment in detail, working with our counterpart data protection authorities in other EU member states and issuing further guidance for businesses on options open to them.”
ICO also noted that negotiations have been going on for some time between the European Commission and the EU to replace the Safe Harbor program with a new, more privacy protective arrangement.
One of the more troubling parts of the judgment is that the decision was largely based on the ability of US intelligence agencies, such as the National Security Agency, to view personal information transmitted to the US. It is unlikely that US security agencies will ever defer to EU privacy legislation over perceived national security needs. So how will this be reconciled in the Safe Harbor 2.0 program?
The most obvious and cleanest alternative for compliance is not to transfer personal data outside the EEA and to install and maintain servers for information storing personal data about EEA residents within the boundaries of the EEA. This is, unfortunately, not a practical solution for many companies that need to centralise functions requiring collection storage and use of EEA customer, supplier and employee data in the US.
There are other means approved by the EU for transmission of personal data internationally. One of these is known as “binding corporate rules.” With this scheme, companies within a corporate group can agree to transfer personal data within the group under certain rules compatible with EU data protection legislation. The binding corporate rules must be approved by the information commissioner in the EEA country of transmission. However, the use of binding corporate rules only applies to use intra-company, so does not solve the problem of transmission of data between a customer in the EEA and supplier in the US.
Another alternative is the use of “model clauses“ in contracts between persons or companies sending data from within the EEA and the companies or persons receiving them in the US. The EU has pre-approved a certain template for use in contracts that it considers will provide adequate protection.
A third alternative is to obtain express consent from the data subject to the cross border transmission of his or her data for a specific use or uses of the US recipient. This would not be a viable option for situations where mass data passes international borders.
Whatever solution companies find for the interim, all US companies registered on the Safe Harbor program will need to urgently assess their data protection programs to find another means to comply. There is no certainty about enforcement actions that may be taken in the interim period so companies who are unsure of their position are urged to seek legal advice immediately.