Last week an Advocate General for the European Union issued an opinion that added to the uncertainty about the future of the U.S.-EU Safe Harbor Framework for transfer of personal data to the U.S. The AG Opinion is a non-binding opinion recommending that the Court of Justice of the European Union (CJEU) make a determination that the U.S.-EU Safe Harbor data transfer pact is non-binding on member states, and need not be honored. Such a determination would be a significant blow to thousands of U.S. multi-national companies who rely upon their Safe Harbor certification to support an adequate level of protection for transfers of personal data from the EU to servers located in the U.S.
The opinion arises out of a challenge brought before the Irish Data Protection Commissioner in the wake of the Edward Snowden public disclosures, particularly those about the U.S. National Security Agency. The case concerned a complaint brought by an Austrian citizen against Facebook Ireland, challenging the transfer of his personal data to the U.S. by Facebook. His complaint was dismissed by the Irish Data Protection Commissioner, who cited the Safe Harbor Framework (EU Commission Decision 2000/520) as the basis for examining the problem raised by the complaint. However, the Irish High Court referred the question of whether a member state is absolutely bound by the determination of EU Commission Decision 200/520 to the CJEU, and asked for a determination of whether a Commissioner is permitted to conduct its own investigation into the facts surrounding the complaint, and the adequacy of the protection provided by the Safe Harbor privacy principles in light of those revelations. The AG Opinion is the result of a hearing on those issues, and is a non-binding recommendation to the CJEU.
The Safe Harbor Principles have been under review for some time and the U.S. is working with the EU to ensure they are mutually satisfactory. In addition, the EU is working on a new data protection law which might also have an impact on the export of data from the EU to the U.S. To date, the EU has stopped short of suspension of Safe Harbor, but if the CJEU rules along the lines of the Opinion before revised principles or a new EU law have been finalized, the Safe Harbor may effectively be suspended.
While there are alternatives to Safe Harbor certification available to companies who transfer personal data such as payroll information and customer information, these measures are more bureaucratic, time consuming and costly to implement than the Safe Harbor program, which is operated by the U.S. Department of Commerce and enforced by the Federal Trade Commission (FTC). Adoption of Binding Corporate Rules imposes a data privacy and security scheme consistent with the EU Data Privacy Directive principles on an entire enterprise, and they must be approved by the data privacy commissioners of each member state where employees or consumers whose personal data is to be transferred are located. Implementation of model data transfer contract clauses into existing contracts governing the transfer of data would require contracts to be re-negotiated, and could potentially also be disruptive. Obtaining the consent of the data subject is always an available option, but under the EU rules, the consent must be “informed consent” – a higher standard than is typically employed in the U.S.
Companies who are considering adopting a program implementing the Safe Harbor Principles to obtain Safe Harbor certification may wish to re-evaluate their processes and options for data transfer before undertaking certification. While the opinion referred to above is not binding, companies would be well-advised to consider their options for establishing adequate protection as required by EU laws, in anticipation of potential disregard of Safe Harbor.