Anyone who carries on business in the EU must have heard about the end of Safe Harbor (at least in it’s current form). For those unfamiliar with it or for those who have been avoiding the subject to maintain their sanity, Safe Harbor previously was the procedure under which US businesses could legally transfer data from the EU to the US – which is otherwise forbidden under EU Data Protection laws. Admittedly, Safe Harbor was a very weak system which relied on corporations adhering to the obligations set out in the system: but enforcement actions or audits were seldom implemented by the US Department of Commerce, which oversaw it.
As a result, the Data Protection Regulators around the EU became increasingly uncomfortable that the system was sufficiently robust for them to trust that the data of EU citizens under their care was being adequately monitored and protected by those transferring outside the remit of the EU. Then came along Mr Snowden and the NSA, at which point some EU Regulators (and EU businesses) publically dismissed Safe Harbor and declared it insufficient to comply with local data protection laws. However, whilst US businesses started to notice that (particularly German) customers were requiring different solutions, there was no single voice on the subject and so most US businesses continued to rely and proclaim their reliance on the Safe Harbor system.
That was until mid-October when the EU’s Court of Justice ruled on a case brought by an Austrian citizen against Facebook. The citizen (a student named Max Schrems) brought the action as a test case and the result has made history in the world of data protection enthusiasts. With effect from the date of the ruling, Safe Harbor was declared invalid by the EU and therefore, no US businesses were entitled to legally transfer any data between the continents without an alternative solution.
That shouldn’t have been too much of an issue, since there are other recognized solutions (EU model clauses or binding corporate rules being two) upon which reliance could be placed. However, within a week of the ruling, Regulators around the EU met to discuss the outcome and provide guidance to the global community who were wondering what to do next. Unfortunately the guidance cast further shadows, as suggestions were made that the above solutions may also be inadequate…albeit that they agreed not to take any enforcement action for breach of the transfer rules until the end of January 2016.
Clearly a 3 month moratorium on action is great, as it gives businesses time to analyze their current data flows and what they transfer where, but regrettably we remain in the dark as to which alternative solution to build into business contracts or systems for future compliance.
Certainly, EU model clauses may continue to be used for the time-being and many will already have redesigned their customer contracts to include them. I suspect adopting them now is a positive step towards compliance in the hope that no further statement declaring them invalid will come. Seeking user consent and ensuring all EU data remains solely within the EU are also solutions, although I question whether those are commercially workable for most US businesses whose business models are now built around mining data. Even HR data relating to European employees is caught and typically will be held on US servers centrally managing global workforces.
So, unlike other posts I have written, the conclusion to this one is to continue to “wait and see”. The US is making moves towards negotiating a new version of Safe Harbor during December, the EU Regulators are promising to meet and provide more comprehensive guidance, the Irish DP Regulator is grappling with investigating Facebook through enforcement of the EU judgment in Ireland…all in all, it could be said that we’re in a bit of a mess. Perhaps for once, it’s better to keep ears and eyes open until some definitive advice can be given – but be assured that when a solution is identified, a lot of running around will be needed to ensure compliance within the current timeline. On that basis, undertaking internal data audits now will at least give you a good overview for own processes and put you in a better position to start making legal or contractual changes when clear guidance is finally given. The good news is that with over 4,000 companies registered for Safe Harbor and now in the same position, you’ll likely to be in pretty good company. A last – something positive!