Does your company rely on Safe Harbor to transfer personal data from Europe to the US?  If so, it’s time to think about alternatives to Safe Harbor – and fast.

The European Union’s Data Protection Directive (1998) prohibits the transfer of personal information outside of the European Economic Area unless the receiving country ensures an adequate level of privacy protection.  Soon after the Directive was passed, the European Commission determined that the US doesn’t offer adequate levels of protection.  The EU and the US negotiated the Safe Harbor agreement in 2000 to allow US companies to self-certify that they provide protections that are equivalent to the requirements of the Data Protection Directive.

Currently, over 4,000 US companies rely on the EU-US Safe Harbor program to make their transfer of personal data from the EU to the US legal under European privacy laws.  But in light of the opinion issued today by ECJ Advocate General Yves Bot in the Schrem case, there’s a very high risk that the Safe Harbor program will be invalidated by the European Court of Justice, which is the EU’s highest court.  The AG found that the Commission’s decision (made 15 years ago) that the US-EU Safe Harbor program offers an adequate level of protection to personal data of EU residents was invalid in light of what is now known (largely through Edward Snowden’s disclosures) about the transfer of personal information from companies such as Facebook Ireland to the NSA under the PRISM intelligence program.

The ECJ will issue its ruling on the Schrem case before the end of 2015, and possibly sooner.  The ECJ does not have to adopt the Advocate General’s opinion, but it usually does (with the Google Spain case being a notable exception).  All of this is against the backdrop of negotiations between the European Commission and the US government for reforms to the Safe Harbor program and its enforcement by the US.

So if your company relies exclusively on Safe Harbor as the basis for its transfer of personal data from the EU to the US, it’s time to start considering other bases for the transfer.  The other options are:

  • Consent of the data subject to the transfer. In most circumstances, the consent needs to be explicit and fully informed to be valid.  It’s also important to keep records of the consent in case there’s a challenge.
  • Binding corporate rules for intragroup transfers. BCRs need to be approved by the relevant national information commissioners, and this is a lengthy process (potentially 18 months or more).  So while this is a longer term option, it won’t help if the ECJ invalidates Safe Harbor within the next few months.
  • Contracts between the exporting and receiving entities. The European Commission has provided model clauses that can be incorporated into agreements to ensure adequate protection of the transferred personal data
  • In the UK, companies may be able to make their own adequacy determinations under guidance issued by the UK’s Information Commissioner’s Office

However, there’s a very important caveat that would apply to all of these alternatives except possibly the data subject consent option:  BCRs and contracts require the data recipients essentially to promise that the data will be protected to the same level as in the EU.  If your company could receive a subpoena from the NSA or other US government agency to disclose the personal data of EU residents, then the BCRs and contracts would presumably face the same weakness that the Safe Harbor faces: a fundamental incompatibility between EU data protection law and the powers of US government agencies to conduct intelligence operations and require US companies to comply.

The larger question of the international conflict between protecting privacy and enabling intelligence activities aimed at increasing the safety of the public (and, potentially, various other national interests) is a matter for the relevant governments to negotiate – but in the meantime, US companies that rely on Safe Harbor look to be stuck in a hard place.