Data Security Impasse Overturns Safe Harbor Program

An Austrian student’s displeasure with Facebook has invalidated the longstanding trans-Atlantic Safe Harbor program for international data transfers.

Concerns about data privacy, and that student’s complaint over whether Facebook was complicit in snooping by U.S. intelligence agencies, reached the European Court of Justice, setting up an Oct. 6 ruling that the agreement was invalid, putting multinational and online companies on alert that much greater compliance demands are on the horizon.

“Companies need to be thinking about … alternative means for data transfer,” says Heather Sussman, a privacy & data security partner for Ropes & Gray.

The European Union’s Data Protection Directive, adopted in 1998, prohibits the transfer of personal data to non-EU countries that fail to meet its standards for privacy protection. In response, the United States and the European Commission crafted the Safe Harbor Program in 2000; it requires U.S. companies to certify, subject to enforcement by the Federal Trade Commission, that their handling of personal data meets or exceeds EU standards.

The agreement worked without much controversy, until former CIA employee Edward Snowden exposed the massive U.S. surveillance programs that snooped on personal data around the world. The outcry throughout Europe motivated a legal complaint by Austrian law student Max Schrems against Facebook. His allegation: The company gave the National Security Agency a backdoor for reviewing user data (a claim Facebook vehemently denies).

The Irish Data Protection Commissioner—drawn into the controversy because Facebook, like many other U.S. tech companies, bases its European headquarters there—ruled on the side of the social network. An appeal reached the European Court of Justice. That led to a non-binding opinion in September by Yves Bot, advocate general at the court. He opined that the Safe Harbor agreement did nothing to prevent government spying and should be invalidated. ECJ judges subsequently made Bot’s opinion official and legal.  

“Companies need to be thinking about … alternative means for data transfer.”
Heather Sussman, Privacy & Data Security Partner, Ropes & Gray

The ruling creates big problems for the nearly 4,500 companies covered by the Safe Harbor program, as well as any business that moves data between the United States and EU member states.

“U.S. companies have to appreciate that this is a binding legal decision across Europe and there is no higher court to appeal it to,” says Susan Foster, a member of the law firm Mintz Levin. “Companies should be focusing a lot of attention on what their contingency plan is. If Safe Harbor is effectively suspended, it may not necessarily be something that goes into effect immediately across the European Union. The court could kick the decision back to local data protection offices.”

That could result in some national authorities deciding that the Safe Harbor is still enforceable, while others take the view that it isn’t. Foster expects significant political pressure for the latter approach.

The threat to Safe Harbor reflects growing concerns in Europe over differences in how that region views privacy versus the United States. “In Europe we have a holistic data protection regime,” says Rohan Massey, a London-based partner with Ropes & Gray. “It is universal and covers any form of personal data. Because the United States has a sector-based approach to data protection—great protection in the healthcare sector under HIPAA, but not necessarily in general commerce—it is seen as not having adequate protection.”

The decision will result in less data protection for Europeans and a greater compliance burden for companies for all involved, says Brian Hengesbaugh, a partner with law firm Baker & McKenzie, who helped negotiate the Safe Harbor agreement years ago while at the U.S. Commerce Department. “The advocate general’s proposal … would result in an overall lowering of protection for European personal data in the United States because it would take the Federal Trade Commission out of the role of enforcing European privacy rights against American companies on U.S. territory,” he says.

Invalidation of the agreement would leave companies with four options:

Using model contractual clauses between companies;

Adopting binding corporate rules (BCRs) to permit transfers of personal data within a multinational corporation or international organization;

Obtaining the “unambiguous consent” of all customers;

Ignoring the decision and continuing with business as usual—not necessarily a smart move but still a possible one.

RESTORING TRUST

The following are 13 recommendations, crafted by the European Commission in 2013, for “Restoring Trust in EU-US data flows.”
Transparency

Self-certified companies should publicly disclose their privacy policies.

Privacy policies of self-certified companies’ websites should always include a link to the Department of Commerce Safe Harbour website which lists all the ‘current’ members of the scheme.

Self-certified companies should publish privacy conditions of any contracts they conclude with subcontractors, e.g. cloud computing services.

Clearly flag on the website of the Department of Commerce all companies which are not current members of the scheme.
Redress

The privacy policies on companies’ websites should include a link to the alternative dispute resolution (ADR) provider.

ADR should be readily available and affordable.

The Department of Commerce should monitor more systematically ADR providers regarding the transparency and accessibility of information they provide concerning the procedure they use and the follow-up they give to complaints.
Enforcement

Following the certification or recertification of companies under Safe Harbour, a certain percentage of these companies should be subject to ex officio investigations of effective compliance of their privacy policies (going beyond control of compliance with formal requirements).

Whenever there has been a finding of non-compliance, following a complaint or an investigation, the company should be subject to follow-up specific investigation after 1 year.

In case of doubts about a company's compliance or pending complaints, the Department of Commerce should inform the competent EU data protection authority.

False claims of Safe Harbour adherence should continue to be investigated
Access by U.S. authorities

Privacy policies of self-certified companies should include information on the extent to which US law allows public authorities to collect and process data transferred under the Safe Harbour. In particular companies should be encouraged to indicate in their privacy policies when they apply exceptions to the Principles to meet national security, public interest or law enforcement requirements.

It is important that the national security exception foreseen by the Safe Harbour Decision is used only to an extent that is strictly necessary or proportionate.
Source: European Commission.

Each alternative has drawbacks. “Especially for online companies, there will be quite a few who look at this and see that the only option they had for complying with EU privacy rules has been taken away,” Hengesbaugh says. Drafting binding corporate rules could take a year or more, and “if I’m a U.S. online business, I’m not going to go that route because it would confer a whole range of omnibus privacy rights on my U.S. consumer base,” he says.

Model contracts and BCRs are also subject to attack on the same grounds the Safe Harbor is. “The model contract clauses effectively say, hand on the Bible, I am going to keep all of this personal data completely secure and treat it just the way it would in the European Union,” Foster says. “But you can’t say that as a matter of corporate policy, you are going to disobey U.S. law. You can’t use a model contract without being in breach.”

Obtaining customer consent (think of those long Terms of Use agreements online that you never read before clicking) is problematic because of the sheer number of users an online service may have. EU officials might also raise concerns over whether any of it was actually read and understood.

Doing nothing? Well, although fines now are relatively low, a draft European General Data Protection Regulation, approved at the start of 2015, increases that risk. It calls for maximum fines as high as €1 million or 5 percent of total revenue, whichever is greater. Foster also warns that “customers in Europe aren’t going to want to do business with you.”

The threat to Safe Harbor comes at an important time. In addition to the still-in-development European General Data Protection Regulation, Washington and Brussels are working on a “Safe Harbor 2.0” that would expand the current agreement to better reflect evolving concerns about social media, cloud services, and, of course, government spying.

Also, on Sept. 8, after more than four years of negotiations, Europe and the United States agreed on a separate data protection agreement that covers multinational transfers for the detection, investigation, and prosecution of criminal offenses. And there are the Transatlantic Trade and Investment Partnership negotiations. The United States wants to incorporate data protection agreements into the deal; Europe does not.

Meanwhile, as the ramifications of the ECJ decision are unpacked, companies would do well to take a fresh look at their data privacy policies as they prepare for future demands, Massey says. Training is crucial and companies cannot “self-certify and just put everything in a drawer.”

“Any company that has currently registered for Safe Harbor should be looking at its certification and, from the board level on down, at whatever the governance structure is for privacy and data security,” Sussman says. “Compliance should be talking to the team that certifies the Safe Harbor certification ... To what degree have you really implemented these principles and have a robust process? Make sure the company is confident it has gone through the process of appropriate self certification.”