With EU-U.S. data transfer scheme Safe Harbor being found to be “invalid” recently by Europe’s top court, pressure has increased on U.S. and EU officials to put aside differences and see if an alternative 2.0 scheme could be brokered. News this week is that the EU and U.S. are making some progress at a high level, but there is still a good deal of work to be done.
According to EU Commissioner Vera Jourova, there is some agreement in principle that the U.S. will look to improve certain aspects but the details are not agreed, for example, how to make sure there is stronger oversight and enforcement by the U.S. Department of Commerce (DOC) and Federal Trade Commission (FTC), respectively. The devil is always in the detail, and therein lies a potential problem. The EU wants to move away from what was regarded as a scheme that was open to abuse and with poor compliance, given its self-regulatory/self-certification nature, to one that is much more based on real oversight and tough sanctions. Although businesses should be pleased that the sides are talking and some progress is being made, that pleasure should come with a healthy dose of caution and may yet still prove to be a false dawn, given how far apart both sides were on the details, even before the Facebook ruling.
So, what should businesses do now? Notwithstanding whatever dialogue is going on, the fact remains Safe Harbor has been found invalid, and there is an enforcement regime that was bolstered with six figure fines that poses a risk. The imperative should therefore still be to urgently review data transfer (and general data handling) arrangements to see whether model clauses or binding corporate rules (BCRs) are a better solution. Further, given the new data laws that are just around the corner in the EU, an updating of company data handling arrangements and policies generally would go a long way to helping move businesses into an up-to-date position, ready also for the new Data Protection Regulation, and thus reduce fine/enforcement risk in any event.