Where is EU’s Safe Harbor in the Stormy Waters?
The events that took place last Friday changed not only Paris, but the whole Western world. Among everything else, they brought the attention back to the issue of security and the need for thoughtful government action. Not only in the physical sense, but also online.
Vera Jourová, the European Commissioner for Justice, Consumers and Gender Equality, delivered a speech at the Brookings Institution in Washington, D.C. this week which started with a moment of silence in the honour of the victims of the attacks in Paris. “This is an attack on our values and basic principles,” Jourová said. “And what we value is our freedom. And what is part of our freedom is the protection of privacy.”
So what is Safe Harbor and why should you care about it? The previous 15- year old Safe Harbour agreement between the United States Department of Commerce and the European Union (E.U.) was terminated by the European Court of Justice (ECJ) on October 6, 2015. It regulated the way that US companies export and handle personal data (such as names and addresses) of European citizens. In 1998, the EU established the European Commission Directive on Data Protection, which included very strict rules covering essential data transfer to non-European countries was prohibited.
Why should you care?
The termination has disrupted the work of over 5,000 US businesses which relied on Safe Harbour to receive personal data from EU member countries. Despite this though, there remains clear guidelines on what actions companies can take to remain compliant with the EU Data Protection Directive. The costs for removing personal data from Europe to alternative processing place will be huge. There are three main ways of validating the data transfer:
- getting personal consent to data transfers
- implementing strict corporate rules for intra-company transfer
- using model contract clauses including the EU Directives principles.
The most cost effective solution is simply to include data transfer agreements modelled after the EU’s approved contract clauses, which allow companies to transfer data by going through an approval processes.
In the same manner, companies that transfer data from Europe to the US need to be complaint. Companies need to consider the differences in model contract clauses between a data processor (a supplier that processes personal data) and a data controller (a customer that determines the purposes for the processing of data). The distinction will determine the kind of personal data to be processed, the method and frequency of the transfer, and whether to utilise an electronic of automated means of processing.
The Direct Marketing Association (DMA) is educating members about the different options when it comes to dealing with European customers’ data until the new agreement is ready. “There are other alternatives outside of Safe Harbour and [companies] would do well to examine their own data flows from Europe and look at the alternatives to see which would serve the needs of their company,” said Christopher Oswald, DMA’s vice president of advocacy.
The decision to invalidate Safe Harbour disrupts every business which requires transfer of personal data collected from residents in the EU to the US multinational companies operating in the EU rely on cloud based storage by European subcontractors, and in transferring data intra-company from EU subsidiaries will they have to deal with the impact on the global data flows and the legal issues this decision raises.
So why the change?
In a communication from November 2013, the European Commission stated: “There has been a growing concern among some data protection authorities in the EU about data transfers under the current Safe Harbour scheme. Some Member States’ data protection authorities have criticised the very general formulation of the principles and the high reliance on self-certification and self-regulation. Similar concerns have been raised by industry, referring to distortions of competition due to a lack of enforcement.” The revelations of mass surveillance made public by Edward Snowden exacerbated the need for reform.
As the justice commissioner went on to explain, “There is a political commitment to deal making, but more efforts are needed in the definition of what information American law enforcement agencies arehould be able to gain privileged access to”. The negotiations will proceed this winter and a clear clarification of “national security” and “public interest” needs to be established. All being well we hope that a final solution will be proposed in January 2016. Watch this space for more news…
Resources used for this post: