There’s no doubt businesses in the EU and US would breathe a sigh of relief if a new Safe Harbor agreement is put in place between before European data protection authorities start prosecuting companies for potentially illegal personal data transfers to the US. But if it doesn’t happen, the US is actually not any worse off than most of the rest of the world. No other country has a special agreement with the EU concerning personal data transfers, and only eleven countries have been deemed to be “adequate” by the European Commission: Andorra, Argentina, Canada (commercial organizations only), Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay.
Only one of the countries on the “adequate” list, Switzerland, is a “top ten” EU trade partner, according to the latest trade statistics published by the Commission (based on 2014 figures). Only two of the countries (Canada is in twelfth place) are in the top twenty. Japan, India, Brazil, Turkey, South Korea, all “top ten” EU trade partners, are not on the “adequate” list. Nor is China or Russia, both of which have significant trade with the EU (coming in second and third in the “total EU trade” rankings published by the Commission). So if the US isn’t on the “adequate” list, it is no worse off than most other major EU trade partners.
You don’t see China, Russia, Japan or South Korea in a flap over having to rely on the standard mechanisms for inadequate countries, do you? Yes, the Commission-approved model clauses are clunky – to use the British expression, they aren’t really “fit for purpose” in today’s world where cloud-based data hosting and processing has become the norm (and often provides far more robust security than SMEs could ever afford without outsourcing to cloud platforms. Yes, the model clauses are under review by data protection authorities in light of the Schrems decision and could be taken away from US companies if the DPAs (and then the EU Court of Justice) decides that US companies are subject to legal obligations with respect to US national security laws that are incompatible with European fundamental rights. Yes, BCRs are expensive and can take well over a year to be approved by the necessary DPAs. Yes, the circumstances in which the individual’s consent may be relied on for data transfers outside of the EEA is under challenge now, and will be significantly limited under the new Regulation that will go into effect in around two years. Yes, the few other bases for transfers are narrow and unlikely to be of much use in many transactions. Yes, the new General Data Protection Regulation will have “shock and awe” fines of up to 4% of a business group’s global turnover to turn up the pressure.
But these are problems that the EU has created for almost all of its largest trade partners, not just the US. Legal risks and compliance burdens imposed on businesses either get priced into the costs of products or services (eventually hitting EU consumers), or lead to cost-benefit analyses that drive companies out of markets. Shouldn’t it be up to the EU to propose additional data transfer solutions to address concerns about protecting EU residents’ fundamental rights without imposing compliance burdens on its major trade partners that are practically or economically unworkable? The new Regulation contemplates some new solutions, such as Commission-approved privacy certifications, compliance with approved industry-specific guidelines, and sector-specific approvals for countries that regulate privacy on a sector-specific basis.
Let’s go back to that sigh of relief that I mentioned at the start of this blog post. With all due respect to the US negotiators who have been working extremely hard to get a new Safe Harbor agreement in place, Safe Harbor 2.0, when/if we get it, is only going to buy companies breathing room. No one doubts that it will be challenged by EU privacy advocates when it is adopted, and companies won’t know whether or not they can really rely on it until it percolates up and the Court of Justice of the EU issues a decision, which could take a couple of years. Furthermore, it appears that the current proposals for the new Safe Harbor agreement envision frequent re-assessments by the Commission, which means that a change in US law or practices, particularly relating to national security (and potentially even just media leaks and allegations) could result in the Commission withdrawing the Safe Harbor mechanism. (The new Regulation requires reviews at least every four years, but we expect Safe Harbor 2.0 to have a more frequent review cycle.) So what does that mean for Safe Harbor-listed companies? Basically, that all of the model clauses that they’ve been scrambling to put in place, all of the work that they’ve done on BCRs, and the attention that they’ve given to user consent, are still relevant – at a minimum, these will be critical back-ups until the new Safe Harbor agreement is effectively endorsed by Court of Justice decision (assuming Safe Harbor survives scrutiny). But also, these alternatives may be the better approach to personal data transfers than Safe Harbor until the new solutions made possible by the Regulation come into effect in a couple of years.