You may not think it, but the recent decision by the European Court of Justice related to the EU-US Safe Harbor Agreement could easily affect your business. And if you’re confused, you’re not alone.
Understanding the Safe Harbor
In 2013, Austrian Law student Max Schrem wanted to test the bounds of European data protection. He was concerned that information being transferred to the United States via his Facebook account was not complying with strict European law. Since Facebook had a European subsidiary in Ireland, Schrem filed a complaint with the Irish data protection authority, the Data Protection Commissioner, specifically alleging Facebook’s complicacy in U.S. intelligence agencies’ surveillance, a result of the leaks provided earlier that year by Edward Snowden.
In early October, the European Court of Justice (ECJ) weighed in. They made two decisions. The first was that the Data Protection Commission had independent authority to investigate Schrem’s complaint and in fact had a duty to do so. Secondly, and pertinent to Schrem’s complaint, the ECJ found that, contrary to the European Commission’s ruling, Safe Harbor did not provide adequate protection of personal information because it only applied to companies in the United States and did not bind law enforcement and the intelligence community.
Alternatives to Safe Harbor
While many have raised concerns about the loss of this legal transfer mechanism because of the heavy reliance on Safe Harbor by U.S. firms, the reality is the sky is not falling tomorrow.
While this opens the door to investigation by European data protection authorities, a flood of investigations is not expected, nor are regulators expected to take a heavy handed approach … at first. Companies with action plans in place will most likely be given time to implement those plans.
Safe Harbor is by no means the only mechanism for U.S. firms to legally transfer data from Europe, though it was the easiest with some 4,000 companies certifying their compliance to the U.S. Department of Commerce. Around 70 international companies have taken another route, the much more complex path of Binding Corporate Rules and getting those rules approved by a Data Protection Authority in Europe. While plausible for major companies with an international presence, this route is less likely for smaller firms, given the costs and effort involved.
Two other methods currently exist in the law to allow overseas transfers. One option is to obtain free and informed consent of the individuals whose information is being transferred. This requires not only notifying individuals in a very obfuscated manner about the collection, use and disclosure of personal data, but also ensuring that consent of the individual is without coercion. While this may be possible in a voluntarily used service like Facebook, the challenge for companies with employees in Europe is large.
In certain countries, the presumption is that employees are not free to consent because they are under threat of losing their job or other benefits should they fail to cooperate. There are other complications. For companies in these situations, the use of Standard Contractual Clauses is the preferred method. The Model Clauses are a set of legal terms for data transfer agreements which have been ratified by the European Commission. These state the terms of transfer and the requirements and obligations of the data controller and processor. While they impose no real substantive change over the requirements in Safe Harbor (i.e. they impose roughly the same data protection obligations), they are more challenging to manage and open the company up to scrutiny of a European regulator, something Safe Harbor aimed to avoid by placing the FTC in the role of principal regulator. The real concern there is that some of the companies self certifying under Safe Harbor haven’t done their due diligence and may not really have the administrative and technical controls in place to comply. Now, subject to a complaint in the E.U. they face the scrutiny of European regulators many of whom are generally suspicious or outright hostile to data going to the United States.