The US-EU Safe Harbor has been back in the news recently as Germany’s data protection commissioners met at the end of January and expressed impatience at the delay in implementing what many view as necessary reforms to the program. The European Court of Justice also recently heard a challenge to Facebook’s reliance on the Safe Harbor for the transfer of user data in what many see as an important test case; this lawsuit will be the topic of a future blog post.
Established in 1998, the Safe Harbor program provides a mechanism by which companies can publicly represent that they have established internal controls that provide an adequate level of protection, thereby permitting transfers of personal information from the EU to the US. (EU data protection law provides that – with limited exceptions – personal data can be transferred outside the European Economic Area only if an adequate level of protection is ensured, and the US is not among the countries whose laws the EU Commission has identified as providing adequate protection.)
Although there have been critics of the Safe Harbor program since its inception (particularly around issues of transparency and dispute resolution), criticism has been at an all-time high since the disclosure in 2013 of the U.S. National Security Agency’s surveillance activities. In response to these widespread concerns, the EU Commission issued a report in November 2013 setting forth 13 specific recommendations aimed at promoting transparency, ensuring effective dispute resolution and enforcement, and limiting access to personal information by U.S. authorities. Notable recommendations include:
- Notify the Department of Commerce regarding contracts with subcontractors, including cloud computing services, that will involve the transfer of personal data and make publicly available information regarding the privacy safeguards that are included in such contracts;
- Addressing affordability concerns with respect to alternative dispute resolution mechanisms and increased monitoring of ADR providers;
- Random audits by US authorities to ensure companies are in compliance with their privacy policies and investigation of false claims of Safe Harbor compliance; and
- Inclusion in privacy policies of information regarding the extent to which US law would allow US authorities to access data transferred under the Safe Harbor.
Although the EU Commission initially hoped to finalize reforms last summer, talks continue. It was revealed in November 2013 that agreement has been reached on most of the EU Commission’s recommendations but that US government access to personal data remains a sticking point. The EU Commissioner for Justice, Consumers and Gender Equality, Věra Jourová, stated in January that the EU had indicated to the US that reforms must include “sufficient guarantees on national security access” and that the EU had “recently registered concrete engagement from the US on this issue.” She indicated a goal of finalizing a reform package by May of this year.
Accordingly, although there have been calls and threats for complete cancellation or suspension of the Safe Harbor program, this remains unlikely, not least because of the extreme economic consequences that would flow from such action. However, it appears certain that reforms will be implemented, and although the full scope of such changes is not yet known, companies can and should begin to prepare. Specifically, current Safe Harbor members, and those considering certification, would be prudent to:
- Consider a self-assessment of compliance with their data privacy policies and applicable data protection requirements;
- Examine their options in respect of ADR and consider the impact of a requirement that ADR be made free for data subjects seeking to utilize it; and
- Begin to identify vendor contracts that contain (or should contain) privacy provisions to ensure that they comply with the Safe Harbor requirements and to assess the feasibility of disclosing these provisions should that requirement be implemented.
We will continue to monitor the reform negotiations and will report here of any developments.
**This post also appears on Proskauer’s Privacy Law Blog.**