Earlier this month the Court of Justice of the European Union struck down the EU-U.S. Safe Harbor Framework which previously provided U.S. companies comfort in that they could follow the framework and know they were not violating the more strenuous E.U. personal data privacy laws. The scrapping of the Safe Harbor is a result of recent Snowden revelations about the U.S. data collection efforts in the E.U.
Created in 2000, the Framework allowed for the lawful transfer of European citizens’ personal data to the U.S. Without it, the E.U. prohibits the transfer of personal data to non-European Union countries that do not meet the European Union “adequacy” standard for privacy protection as directed in the European Union Directive on Data Protection of 1995. The U.S. is not on that list. For a good description of the ruling, go here.
I’m not Facebook or a cloud storage company, so why do I care?
Data transfers have not come to an immediate hault. Likewise, trans-Atlantic trade has not stopped. But, you may not realize you transfer the personal data of E.U. citizens and need to be prepared. Certainly, if you previously relied upon the safe harbor, you need to make some changes.
Do you take orders from E.U. customers? Do you have subsidiaries in the E.U., but process the H.R. functions here? Do you host the company email here that includes email accounts of E.U. citizens? Do you store information from E.U. citizens? You can see how easily you can become susceptible to possible data transfers of personal information of E.U. citizens.
So what do I do?
Because the ruling is so new, a lot of people are still trying to figure out what exactly this means. Some suggested actions include:
1. Update the Privacy Policy
Many privacy policies provide that the company follows the Safe Harbor guidelines. This should be updated and the policy should go into greater detail about what “adequate protections” you use to protect data.
2. Get consent for transfers of data outside the E.U.
Under the E.U. Directive, you can legally transfer personal data with the subject’s consent. This is based on one of the derogations to the EU Data Protection Directive. This may help with the occasional customer, but when it comes to your employees in the E.U., many of the authorities have found that you cannot get real consent from employees because of the lack of leverage for the employee to say no.
If you are dealing with consumers, you would need to document and obtain actual consent. Having a statement in a privacy policy hidden on your website is not sufficient. You must make the E.U. citizen actually consents through a click-wrap agreement and document their consent. It may not be enough to simply have them agree that you may transfer their data to other countries with less rigorous data protection laws, but you may have to notify them that their data may be transferred to a jurisdiction where their data may be subject disclosure pursuant to a court order or other governmental action.
3. Use one of the alternative mechanisms
The options other than Safe Harbor that were available before the ruling are still possibilities. These include the Binding Corporate Rules and Standard Contractual Clauses.
The Standard Contractual Clauses can provide an efficient short-term fix. They can be used to transfer data within one company (the H.R. or email server issues) or between a company and a vendor. The magic involved here is in describing what and how data is collected, stored and protected in the appendices of the SCCs.
The Binding Corporate Rules may be an alternative, but it may take time to get them approved because they require approval from the data protection authorities in each country of the E.U. from where you would transfer data. This process can also be expensive to implement. Some jurisdictions are tougher than others. The U.K. is less restrictive than Germany, for example. Therefore, it may depend on in which jurisdictions you have operations.
4. Segregate E.U. Data
To the extent you store data, you can segregate it and keep from transferring the data on E.U. citizens out of the E.U. This may not be practical for most people, but if it is an option, it may be the better one than trying to navigate through this morass.
5. Stay Classy San Diego
While you can no longer rely upon on Safe Harbor to avoid problems, you should maintain those safeguards in place because you promised to do it. Showing that you are taking best practice precautions may save you from any harsh penalties if anyone ever complains.
The likely outcome is that E.U. and U.S. officials will create a new framework that addresses some of the concerns set out in the order to allow for transfer of data. The good news is some European officials have already stated they plan on proposing new guidelines and do not plan to aggressively enforce any data transfers in the near term that satisfied the Safe Harbor.
In the meantime, stay calm and consider the options. Watch to see if the European authorities issue guidelines you can live with. Check in here for guidelines that may be forthcoming. Individual countries may also provide their own guidelines.
No, the world is not ending, but a change will have to be made. We will monitor the situation and provide updates as available.
UPDATE: 10-15-15
This morning, I participated in a conference call with our international partners in our First Law Institute Data Protection/Retention Group. The general consensus was that SCCs are the way to go in the interim, but they are not foolproof for all situations and entering into the agreements does not really address the policy concerns raised in the court’s ruling.
During the esoteric part of the conversation, some of the European partners conceded that other countries engage in surveillance and if you applied the policy behind the ruling, there should be no data transfers outside of the E.U. to almost any other country that engages in any form of cyber surveillance. No matter what measures a company puts in place, the ruling focused on the government surveillance rules which would trump whatever the contractual arrangements are in the SCCs.
The good news is that our European partners believe new guidelines, or a Safe Harbor 2.0, will emerge soon.
