Changes to the Safe Harbor regime will almost certainly be made in 2014 but what should companies doing business with US entities do in the meantime?
What is Safe Harbor?
The US Safe Harbor framework was developed in 2000 by the US Department of Commerce in collaboration with the European Commission (EC) to provide an adequate level of protection for EU businesses that transfer personal data to the US companies so as to enable them to comply with the data export requirements of the EU Data Protection Directive.
Under the framework, US businesses can self-certify on an annual basis that they will comply with a binding set of principles. Although the arrangement is voluntary, once a business signs up to the Safe Harbor register it assumes various legal obligations which are enforced by the US's Federal Trade Commission.
EC Analysis 2013
Since its introduction, many in the EU have been sceptical about the security offered by Safe Harbor - primarily due to perceived shortcomings in the self-certification process. In 2013 a number of high-profile European people and organisations added to or joined the debate (including the German Commissioners, the European Data Protection Supervisor, the Chairman of the Article 29 Working Party and the EC). Most expressed concern, particularly in light of revelations in the press that the US government has been carrying out mass surveillance of its European allies.
On 27 November, the EC issued a statement identifying 13 'recommendations' to improve the effectiveness of the Safe Harbor framework. These focused on improving transparency and ensuring effective monitoring and enforcement of the principles. A full list of the notification requirements is set out below.
Although the EC's findings highlighted the numerous weaknesses in the current regime, it was considered by some to be a positive step as it showed that Safe Harbor could have a future, even if that future is contingent on the US Department of Commerce going back to the drawing board.
LIFE Report 2014
A draft report prepared by the European Parliament's Civil Liberties, Justice and Home Affairs Committee on US National Security (LIFE) was leaked in January 2014. The report is the outcome of more than 15 hearings and submissions by EU and US experts, EU institutions and branches of the US government.
The draft version of the report which is dated 23 December 2013 pulls no punches, stating that Safe Harbor's weaknesses are wide-ranging. It points out that none of its many shortcomings, a number of which were identified by the EC in a report issued shortly after Safe Harbor's inception in early 2000s, have been rectified.
One of LIFE's recommended actions is the suspension of Safe Harbour until a full review has been conducted and current loopholes are remedied to ensure that transfers of personal data to the US comply with the highest EU standards. The report raises the stakes by making this draconian recommendation but does not go further to explain how a suspension could work in practice.
What could abolition of the regime mean for existing contracts?
In short, no-one can be certain as the EC has not yet given up on Safe Harbor but the EC is unlikely to abolish or suspend Safe Harbor without first putting a contingency arrangement in place. Doing so would effectively close down data flows between Europe and the US which would have devastating effects on the economies on both sides of the Atlantic and further afield.
The survival and credibility of Safe Harbor is of vital importance to the 3,000+ US organisations that are Safe Harbor certified and the countless trading partners based in the EU who (perhaps in some cases unwisely) rely on their counterparty's registration as a carte blanche for exporting personal data to the USA without the need for further legal protection.
Is it prudent to rely on Safe Harbor as a means for ensuring adequate protection of personal data in the USA?
The Commission's 27 November 2013 report allowed those dependent on Safe Harbor to breathe a sigh of relief... for now.
However, EU based organisations businesses should be wary of relying on Safe Harbor for personal data transfers to the USA as their sole means of compliance with the data export laws given the uncertainty around Safe Harbor's future and should consider whether it is appropriate to ensure adequate level of protection in the USA through other means (e.g. use of EU model clauses and intra-group binding corporate rules). This is particularly important where the arrangement or solution is business critical or relates to a high volume of sensitive data of EU citizens.
Our advice to EU companies who choose to continue to rely on Safe Harbor remains the same:
- Check what the US service provider has committed to on the Safe Harbor register and undertake due diligence to make sure that what has been 'represented' in the certification is actually true. Don't simply rely on enforcement by the Federal Trade Commission.
- Ensure that contracts that rely on Safe Harbor are drafted so as to give the EU company the right, should its US counterpart cease to be Safe Harbor registered or if Safe Harbor ceases to be a recognised option, to require its US counterpart to enter into an alternative arrangement such as EU the model contracts.
The long-term future of Safe Harbor remains in the balance but at this stage we cannot see how the immediate suspension of the framework, as recommended in LIFE's leaked report, would benefit business or work in practice. There is a broader debate around whether the EU data export laws are too draconian anyway which may still play out in the context of the new EU Data Protection Regulations.
The EC will continue to work with the US authorities to find a long-term solution but in the meantime it is prudent to consider whether alternative measures should be used.
Our information law experts are closely watching the developments relating to future of Safe Harbor and will issue follow-up alerts on the subject.
The European Commission's 13 recommendations are:
- Self-certified companies should publicly disclose their privacy policies.
- Privacy policies of self-certified companies' websites should always include a link to the Department of Commerce Safe Harbor website which lists all the 'current' members of the scheme.
- Self-certified companies should publish privacy conditions of any contracts they conclude with subcontractors, e.g. cloud computing services.
- Clearly flag on the website of the Department of Commerce all companies which are not current members of the scheme.
- The privacy policies on companies' websites should include a link to the alternative dispute resolution (ADR) provider.
- ADR should be readily available and affordable.
- The Department of Commerce should monitor more systematically ADR providers regarding the transparency and accessibility of information they provide concerning the procedure they use and the follow-up they give to complaints.
- Following the certification or recertification of companies under Safe Harbor, a certain percentage of these companies should be subject to ex officio investigations of effective compliance of their privacy policies (going beyond control of compliance with formal requirements).
- Whenever there has been a finding of non-compliance, following a complaint or an investigation, the company should be subject to follow-up specific investigation after one year.
- In case of doubts about a company's compliance or pending complaints, the Department of Commerce should inform the competent EU data protection authority.
- False claims of Safe Harbor adherence should continue to be investigated
Access by US authorities
- Privacy policies of self-certified companies should include information on the extent to which US law allows public authorities to collect and process data transferred under the Safe Harbor. In particular, companies should be encouraged to indicate in their privacy policies when they apply exceptions to the Principles to meet national security, public interest or law enforcement requirements.
- It is important that the national security exception foreseen by the Safe Harbor Decision is used only to an extent that is strictly necessary or proportionate.