It is the beginning of 2016, and American companies are anxiously awaiting news of whether or not a new “Safe Harbor 2.0” will emerge. In October of 2015, the European Court of Justice declared invalid Safe Harbor 1.0 in the Schrems decision. This had an immediate effect on any American company collecting personal data from the EU by removing the legal basis for this kind of data transfer. As of October 2015, consumer, client, and even employee data cannot be legally transferred to the US under the Safe Harbor Framework.
Fortunately, the data protection regulators (“DPAs”)recognized the turmoil this decision created within the business community on both sides of the Atlantic. As a result, the Article 29 Working Party (which is the convention of DPAs from each of the EU Member States) issued an enforcement moratorium on enforcement actions until the end of January 2016, so that they could assess the effectiveness of data transfer tools available. As part of this moratorium, the Working Party called on “…Member States and European institutions to open discussions with U.S. authorities in order to find legal and technical solutions”; and that the “current negotiations around a new Safe Harbor could be part of the solution.”
The negotiation of Safe Harbor 2.0 has actually been ongoing since the EU Commission’s report criticizing Safe Harbor 1.0 was released in 2013. Both the Chairwoman of the FTC and the UK’s Information Commissioner commented that much progress had been made on the Safe Harbor 2.0 negotiations within weeks of the Working Party’s call to find solutions which could include a new Safe Harbor framework.
So, as the end of the enforcement moratorium quickly approaches, many are asking: “where is Safe Harbor 2.0?” Two significant factors have emerged to call into question the ability to finalize a Safe Harbor 2.0: 1) passage of the Judicial Redress Act, and 2) the call for increased counter-terrorism surveillance powers in light of the ISIL terror attacks in Paris and California.
The Judicial Redress Act
The Judicial Redress Act is in direct response to one of the larger criticisms in the Commission Report on Safe Harbor 1.0 – EU citizens have no right of redress against privacy violations. This is particularly important in light of the fact that redress might need to be obtained from the US government. While there are redress mechanisms in Safe Harbor 1.0, all of them were limited to commercial actors. In fact, in order to participate in Safe Harbor 1.0, one had to be subject to FTC or Department of Transportation jurisdiction. Clearly, organs of the US government would not be subject to such jurisdiction. So the European’s argued that governmental use of US companies which cause privacy violations made the current redress mechanisms insufficient.
Without debating the merits of this argument, it is clear that for Safe Harbor 2.0 to be concluded successfully, the Judicial Redress Act will need to be passed. Without it, one of the primary requirements for “adequacy” recognized by both the Commission’s Report on Safe Harbor, and the ECJ’s decision invalidating Safe Harbor 1.0 will not be present.
Counter Terrorism Investigations
The other challenge to Safe Harbor 2.0 comes as a result of the terrorist attacks in Paris and California. With these attacks, the governmental agencies responsible for counter terrorism on both sides of the Atlantic are calling for more capabilities to engage in mass surveillance. Unfortunately, this is squarely at odds with the privacy protections needed to ensure that any Safe Harbor 2.0 does not fall afoul of the requirements embedded in the Schrems decision and the Commission report. However, passage of the Judicial Redress Act would give some additional assurances that the very real needs of counter terrorism can be appropriately balanced. While not a perfect solution, the Judicial Redress Act could act to mitigate both concerns, and thus make Safe Harbor 2.0 more likely.
Because of the foregoing, there are very real questions as to whether or not Safe Harbor 2.0 can be agreed to by the end of the DPA’s enforcement moratorium. As a result, companies who were waiting to see if they could rely on a new Safe Harbor framework would be well advised to plan for alternative mechanisms to support a legal basis for transferring personal data outside the EU. The longer no word comes from the Safe Harbor negotiators, the less likely Safe Harbor 2.0 will be available for businesses to use as a legitimate basis for transfers once the DPAs start to enforce onward transfer restrictions again.