Safe Harbor Program Under Assault: What's Next?
There you have it: the European Court of Justice's Advocate General, Yves Bot, issued a non-binding opinion that the 15-year-old Safe Harbor agreement that allows more than 4,000 companies in the US and EU to transfer personal data to the US is invalid. This opinion comes in the aftermath of revelations that US firms were required to share personal data about their European customers with law enforcement agencies in the US.
In his decision, Advocate General Bot concluded that local data protection authorities are not bound by the European Commission's finding of adequacy, and have the legal authority to suspend data transfers from the EU to the US, if those authorities believe that personal data will be used in a way that violates European data protection law.
So what does this opinion mean for businesses in the US and the EU? Here are answers to some frequently asked questions.
Is the US-EU Safe Harbor Program invalidated or terminated?
No. The program continues to be valid and effective. Since its inception in 2000, various EU institutions, politicians, and national authorities have criticized and challenged the program, but it remains valid with binding effect for all EU and national authorities.
Remember, after all, that this is a non-binding recommendation to the European Court of Justice, not the Court's formal opinion. That opinion is expected later this year. And while Advocate General recommendations are rarely overruled by the Court, the political and economic stakes here are high. That means that considerable pressure play a role behind the scenes as politicians and policymakers formulate a way forward.
What are some of the key concerns with the Advocate General's opinion?
The Advocate General's recommendation neglects to address and analyze the many changes in US law and policy that have occurred since the Snowden revelations came to light. The USA Freedom Act, for example, was signed by President Obama in June of 2015, and includes provisions protective of privacy and civil liberties. Those protective provisions, include: elimination of bulk data collection of call data from providers by imposing requirements for specific selection terms; permission for FISA courts to appoint an individual or organization to provide, among other things, legal arguments that advance the protection of individual privacy and civil liberties; requirements for FISA courts to find that the data collection procedures meet applicable standards for data minimization; and allowance of certain nondisclosure orders to be challenged immediately by the recipient.
President Obama also issued Presidential Policy Decree 28 (“PPD-28”) in January of 2014, which applies to all signals intelligence activities (electronic system monitoring), and provides that “[p]rivacy and civil liberties shall be integral considerations” in those activities. PPD-28 sets out specific principles to be followed for safeguarding personal data collected from signals intelligence activities, including: (i) minimization; (ii) data security and access; (iii) data quality; and (iv) oversight. PPD-28 also includes requirements for privacy and civil liberties policy officials, a coordinator for international diplomacy related to foreign inquiries on signals intelligence, and periodic reporting by the Director of National Intelligence.
Finally, from a transatlantic perspective, the EU-US data protection "Umbrella Agreement" has now been approved by US and European authorities. This Umbrella Agreement establishes a comprehensive, high-level data protection framework for EU-US law enforcement cooperation and to provide safeguards and guarantees of lawfulness for data transfers. In particular, once certain implementing legislation is adopted, EU citizens will under the agreement have the same judicial redress rights as US citizens in case of privacy breaches.
Moreover, although the opinion suggests that the European Commission has taken no action to update the Safe Harbor since its inception, the European Commission and the US Department of Commerce are, in fact, engaged in a comprehensive review of Safe Harbor. That agreement is reportedly "very close" to completion, and would establish an updated Safe Harbor program that addresses the Commission's specific points of concern with the program.
If adopted, what would the opinion mean for Safe Harbor companies and their European trading partners?
U.S. companies now registered under the U.S.-EU Safe Harbor Program would cease to be bound by the Safe Harbor Principles if the EU terminates the Program. The U.S. Federal Trade Commission would cease to be in charge of enforcing the Program. Existing consent decrees with U.S. companies that settled charges with the FTC relating to the Program may have to be renegotiated or may become partially invalid.
More disruptive still to the already burdened European economy, European companies who have been doing business with US companies participants in the U.S.-EU Safe Harbor program would have to revisit their compliance obligations and options, which could disrupt their data protection compliance programs and established business relationships. They may have to ask their U.S. counter-parties to consider standard contractual clauses, binding corporate rules, or other approaches. European companies may have to update their filings with data protection authorities, as well as all the information notices (privacy policies, IT policies, removal of safe harbor notices and all informative documents) which in accordance with EU Privacy Laws or Safe Harbor Agreement requirements previously indicated that they have relied on the Safe Harbor Program to transfer data to the United States. Also, European companies may become subject to approval requirements with local data protection authorities for data transfers in the US.
If adopted, what would the opinion mean for European data protection?
The decision would materially diminish the protection for European personal data in the United States because it would eliminate the enforcement role of the Federal Trade Commission. Putting aside any perceived shortcomings in Safe Harbor enforcement, the reality is that the FTC pursued numerous Safe Harbor cases to conclusion, and US companies remain greatly motivated by a reluctance to be subjected to the FTC's enforcement actions. It is an extraordinary benefit for European data protection, therefore, that the FTC will enforce European data protection rights against US companies on US territory. All of this, however, would be forfeited under the views in the Advocate General's opinion.
It would also call into question the validity of European Commission decisions of adequacy for other countries and systems, or at a minimum invite Member State data protection authorities to second guess the validity of the decisions.
By way of comparison, it is worth noting that the alternative transfer methods - standard contractual clauses and binding corporate rules -- on which European companies would have to fall back on to continue trading with the United States -- have never been enforced at the governmental level to date.
Above all, the surveillance and data collection programs by the intelligence services of the United States and its European allies would likely remain unaffected in any way by a discontinuation of the US-EU Safe Harbor program: the intelligence services have been closely cooperating for many years on both sides of the Atlantic. In fact, many European countries have recently enacted strict anti-terror laws that have, arguably, lowered data protection standards.
What should Safe Harbor companies do now?
Companies on both sides of the Atlantic should continue to closely monitor the developments as they unfold. Those currently listed on the Commerce Department's US-EU Safe Harbor List, and those whose business depends on a robust exchange of personal data between the two regions, should be especially vigilant and vocal about the possible disruptions to their operations if the European Court of Justice ultimately decides to adopt the Advocate General's recommendation. Companies should also consider additional and alternative arrangements to legitimize international data transfers, including the preparation of model agreements, reliance on derogations such as consent or perhaps, where practical, development of binding corporate rules. As with all data protection issues, there can be no one-size-fits all solution for these issues.
Click here to read the full Advocate General Opinion. What do you think will happen? Can the proposed General Data Protection Regulation restore marketplace certainty? Share your thoughts on the future of Safe Harbor. E-mail me directly at harry dot valetk at bakermckenzie dot com.