The Safe Harbor
For 15 years, the Safe Harbor Framework has provided a way for U.S. companies to comply with the EU Data Protection Directive. Under the directive, transfers of personal data from the EU to a non-EU country are prohibited unless the receiving country can assure an adequate level of protection for the data. While a number of countries do comply – among them Andorra, Argentina, Canada, Faroe Islands, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay – the United States does not. The Safe Harbor Framework was developed by the United States Department of Commerce and the European Commission as a mechanism to address the EU law’s adequacy standard. U.S. businesses voluntarily participate in the Framework and thereby comply with its terms.
Implications of the Decision
While the headlines are stark, the implications of the decision are unclear. It is generally understood that companies currently operating under the Safe Harbor Framework may be subject to claims that data transfers are unlawful under the EU laws and subject to suspension of data transfers by EU Member State data protection authorities. Whether EU Member State data protection authorities proceed or respond to complaints, or whether companies will be given a grace period to effectuate changes, is not clear.
There also remain a variety of different ways U.S. companies can meet EU privacy requirements, such as “Binding Corporate Rules” (BCRs), which are contractual mechanisms for ensuring compliance which also may not protect against intelligence surveillance activities. These methods are, however, unwieldy and expensive to implement.
The decision also comes at a time when the United States and European Commission are working on improvements to the current structure, as well as the pending implementation of a new regulatory regime for privacy in the EU that will replace the existing Privacy Directive.
What to Do
We advise companies to take action now to meet compliance requirements. Among other things, U.S. companies that transfer data from the EU should consider:
- Assessing the nature and scope of the organization’s reliance on the Safe Harbor Framework for data transfers.
- Analyzing whether alternative mechanisms for data transfer compliance.
- Determining whether containment of all or some data within the EU is feasible.
- Assessing contractual commitments based on Safe Harbor compliance and determining whether other contractual terms can be inserted (e.g., BCRs).
Finally, we suggest that our clients take this opportunity to review their privacy and security policies, procedures and technology – regardless of the existence or lack of the Safe Harbor, and whether or not there are other compliance mechanisms, a company that has implemented effective privacy and security controls will be in a better position to meet the demands of the future.
Robert E. Braun is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Bob helps clients to develop and implement privacy and information security policies, negotiate agreements for technologies and data management services, and comply with legal and regulatory requirements. He helps clients to develop and implement data breach response plans, and he and his team respond quickly to clients’ needs when a data breach occurs. Contact Bob at RBraun@jmbm.com or +1 310.785.5331.