The invalidation of the EU-U.S. Safe Harbor framework in October 2015 has created uncertainty for businesses that were reliant on the regime to transfer data to the United States, and has caused political shockwaves on both sides of the Atlantic. As it nears four months since the European Court of Justice’s judgment in Maximillian Schrems v Data Protection Commissioner (C-362-14) was handed down, we explore the current status of “Safe Harbor 2.0” and outline steps that your business may need to take.
Delays to Safe Harbor 2.0 In October 2015, we reported that a deadline of 31 January 2016 had been set for agreement to be reached on a new trans-Atlantic data-sharing arrangement between the EU and United States. Coinciding with this date, EU data protection authorities set a deadline for companies previously Safe Harbor-certified to put alternative data transfer mechanisms in place. As the deadline for a political agreement looms, it seems more and more likely that it will be missed. Since it would take time for businesses to become certified under a new Safe Harbor regime, it is now essential that businesses implement interim measures to avoid being at risk of enforcement action.
Safe Harbor negotiations Negotiations between political representatives from both sides of the Atlantic are key to resolving the current difficulties faced by companies transferring data from the EU to the United States. In the absence of an official statement from either side, drip-fed statements are creating an interesting picture.
In early January, Edith Ramirez, chairwoman of the Federal Trade Commission (FTC), stated she was optimistic that a solution to the situation would be agreed by the end of January. On the United States' part, the Judicial Redress Act is a major roadblock to progress. On 21 January, it was announced that a vote on the Act scheduled for 22 January was to be delayed. It is suggested that the delay is the result of amendments to a section of the Act that deals with litigation.
The Act is significant as it would allow European citizens to bring actions in the United States for violations of their privacy rights. It is one of the cornerstones to a new Safe Harbor agreement as the EU seeks assurances over how its citizen’s information will be treated. On 18 January, Věra Jourová, the EU Justice Commissioner, warned that guarantees for “effective judicial control of public authorities’ access to data for national security, law enforcement and public interest purposes” were needed.
Delays to the vote will be a headache for EU institutions and data protection authorities, and will cast doubt on the optimism of Edith Ramirez that a solution will be reached.
EU Data Protection Authorities There are reports that in a meeting held 20 January 2016, members of the Article 29 Working Party suggested that restrictions should be put in place on data transfers to the United States, including freezing new authorisations for Binding Corporate Rules and standard contractual clauses. This is unsurprising, given the reactions of some Data Protection Authorities to the invalidation of Safe Harbor. German Data Protection Authorities in particular took a hostile stance to the implementation of data transfer agreements as early as October. Businesses that have a presence across several jurisdictions must review their arrangements to ensure that they are satisfactory, especially in the jurisdictions with authorities known to be more active on enforcement activities.
Separately, it has been announced that EU Data Protection Authorities will meet 2 February to discuss the current situation regarding Safe Harbor. Much will depend on whether a political solution is reached before the meeting, but it is unlikely that a further grace period will be agreed.
Potential solutions As we have previously reported, companies can be affected by the invalidation of Safe Harbor in two main ways:
- Companies that were themselves Safe Harbor-certified must find new ways of legitimising data transfers between group companies.
- Companies that engage the services of suppliers that were previously certified to Safe Harbor must find new ways of legitimising data transfers to those suppliers, and satisfy themselves that the supplier is dealing with the onward transfer of data in compliance with the law.
The approach taken by suppliers has varied. Some large suppliers were very quick to offer a potential solution to customers by providing pre-populated, pre-signed standard contractual clauses. This blanket approach is not always suitable for customers who contract for a variety of services. Other suppliers have been more accommodating, dealing with queries from customers on a case-by-case basis.
In a market renowned for non-negotiable, standard form supply contracts, it is unlikely that many companies will have the bargaining power needed to negotiate a solution to the problem of Safe Harbor that is satisfactory and fully compliant. If a supplier refuses to play ball, companies can be left in a difficult situation, faced with the option of accepting either an imperfect solution, no solution, or the draconian measure of termination.
Tactics for getting supplier buy-in can vary and can come with different risks. In most cases, customers lack the necessary leverage to get suppliers to agree to changes. In other cases, suppliers have so many customer relationships, a one-size-fits-all approach is being taken. Safe Harbor’s invalidation has resulted in a change in law likely to require a variation of the contract. Any form of a varied contractual arrangement should be reviewed carefully and considered against the services that are provided to ensure that it is fully fit for purpose. The UK’s Information Commissioner’s Office warned in October that businesses should not “rush to other transfer mechanisms that may turn out to be less than ideal”. Given the impending enforcement deadline, businesses with operations in certain EU jurisdictions are well advised to ensure that the transfer mechanisms that they have in place are satisfactory, in case the regulator comes knocking.