Safe Harbor scheme under threat as EC sets US deadline to improve- UK
In a series of papers and reports published yesterday, the European Commission (EC) has set out what it requires US law makers to do to rebuild its trust following Edward Snowden Prism revelations. Of particular interest to European businesses with US connections is the open threat to review the long term future of the Safe Harbor certification scheme. Safe Harbor is the compliance mechanism which has been in place since 2000 and is relied upon by many European organisations to allow them to share data with US suppliers, partners and group companies.
The EC has set out 13 recommendations for the Safe Harbor scheme, and has said that it will assess progress against these in summer 2014. The implication is that if the EC is not satisfied that changes have been made by US companies and authorities, it will withdraw its approval of the scheme. That would inconvenience a large number of US and European businesses and force them towards other costly data transfer solutions such as Binding Corporate Rules, leaving the Commission open to criticism that it could be about to cut off its nose to spite its face.
That’s not the way the EC sees things. The BBC quote the Commission as saying:
“Citizens on both sides of the Atlantic need to be reassured that their data is protected and companies need to know existing agreements are respected and enforced….There is now a window of opportunity to rebuild trust, which we expect our American partners to use”.
The 13 recommendations include some tough obligations including the following. Organisations which rely on Safe Harbor certification should consider now whether and how they will make operational changes in light of the EC’s statement.
The EC require that Safe Harbor certifying companies should:
• Publicly disclose their privacy policies;
• Publish details of the privacy conditions included in contracts which they make with sub-contractors, eg cloud providers (no mention of concessions for maintaining confidentiality or security are made by the EC);
• Publish details of the extent to which they are obliged to disclosure data to US law enforcement agencies (presumably in their privacy statements);
• Publish details of the dispute resolution mechanism which will apply to complaints about their compliance with their Safe Harbor certification (ie the mechanisms via which EU citizens can lodge complaints).
The EC also calls for false claims of Safe Harbor compliance to be investigated and enforced against (so certified companies should pay particular attention to when renewal dates for certification are due.)
Over US 3000 companies are currently listed on the US Department of Commerce’s website as being Safe Harbor certified. The number of data transfers made each year to those companies in reliance upon those certifications will be...well the term Googol (as in the original use of that word) comes to mind.
Unless the EC’s mood is improved by summer 2014 a large number of European businesses will need to look for new data transfer solutions. In the interim 3000 plus US companies have a decision to take about whether they follow the EC’s Safe Harbor recommendations and whether it might be time to look at other data transfer solutions.
A copy of the EC’s press release detailing its Safe Harbor review and other reports published yesterday can be found here.
*This article is current as of the date of its publication and does not necessarily reflect the present state of the law or relevant regulation.