Hurricane CJEU made landfall on October 6, 2015, sweeping away the US-EU Safe Harbor framework that had been in place since 2000.
Prior to this decision by the Court of Justice for the European Union (CJEU), Safe Harbor allowed US companies to transfer, store, utilize and process EU citizens’ data with minimal oversight.
Generally speaking, this arrangement was acceptable as long as US companies self-certified adherence to the seven Safe Harbor Principles:
- Notice – What is collected, Who is collecting, and Why the information is collected;
- Choice – Ability to opt out;
- Onward Transfer – a.k.a. Consent in transfer to third parties;
- Access – Right of individuals to correct, amend, or delete their data;
- Security – Data must be protected and secure;
- Data Integrity – The data collected must be relevant for the purpose collected; and
- Enforcement – Structures must exist to verify compliance of the companies using Safe Harbor.
The original goal of Safe Harbor was twofold: protect the privacy of EU citizens, and allow for data flows from EU to US companies. For now, Safe Harbor is gone. Early rumblings indicate that Safe Harbor will return in some form but the timetable is unknown, and most likely, we are looking at mid- to late-2016 – at the earliest.
Preparing for Uncharted Waters
In order to understand what must be done until Safe Harbor returns and what to expect when it does, we must first look at the two primary reasons it was struck down: 1) US security issues trumped Safe Harbor data privacy principles; and 2) national data protection authorities must hear citizen complaints and have the authority to stop a data transfer.
Despite the clear ruling, the US Department of Commerce is still administering the Safe Harbor program and has issued this statement on their website:
In the current rapidly changing environment, the Department of Commerce will continue to administer the Safe Harbor program, including processing submissions for self-certification to the Safe Harbor Framework. If you have questions, please contact the European Commission, the appropriate European national data protection authority, or legal counsel.
So for the time being, the US is choosing to believe that rumors of Safe Harbor’s demise are greatly exaggerated. That said, any future bi-lateral Safe Harbor scheme must reconcile the underlying issue here, mainly that the EU will not accept “US national security concerns” as a valid reason to override the privacy of EU citizens.
The result of this prong of the decision will likely result in a Safe Harbor sequel agreement that all government inquiries into EU citizens’ data must occur only under certain situations (i.e. court rulings). In other words, this prong does not give much guidance that a business can prepare for, but it is good to be aware.
The second prong will most assuredly result in substantive changes that companies can begin to prepare for. At a minimum, any sequel to Safe Harbor will involve the data protection authorities (“DPA”) where the data is collected, and companies will have to adhere to DPA specific rules and procedures for complaints.
National Data Protection Authorities and you
The very first step for any company affected by this ruling is to audit the countries in which they control or process data. Within each of these countries, it will behoove you to baseline local policies and procedures for each DPA and verify whether any changes to operations must occur.
Next, audit the agreements you have in place to ensure that you are utilizing ICO model clauses for company to company agreements and ICO binding corporate rules (“BCR”) for data transfers within a company that crosses borders. For BCRs, your company will most likely have to apply for and obtain approval for each DPA that data is collected within.
For example, let’s say you have a multinational corporation that collects insurance data in four EU countries but that processes all the collected insurance claims data in its US-based branch. In this scenario, you will likely need BCRs with each DPA for those four EU countries.
Similarly, if the data processing is not done within the company but is a third-party outsourced US company, both the EU and US company will need to ensure there are model clauses within the services agreement to ensure the EU Data Protection Directive adequacy standards are satisfied.
Ideally, you and your company did not rely exclusively upon Safe Harbor self-certification but also used one of the other established methods of assuring the adequate security of data transfer, i.e. BCRs and/or model clauses.
Whether you have employed these methods or not, get your legal department and executive team at the table and develop a plan immediately to audit, review, and correct issues that are discovered. The current environment will likely continue for sometime, if not indefinitely. The stalled negotiations, coupled with the US Department of Commerce’s stance that Safe Harbor is still in effect, will not likely yield a new agreement any time soon.
Batten down the hatches and prepare, Hurricane CJEU will return.
About the Author: Hudson Harris (@legallevity) is the Chief Privacy Officer and Associate General Counsel for a company encompassing clinical services and software design. He focuses on risk management, compliance, and privacy/security practice creation, management, and consulting. He holds a BA in International Affairs, a Masters of International Business, M.B.A., J.D. and is a licensed attorney in California.
Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
Title image courtesy of ShutterStock