Three weeks after Europe’s top court demolished one of the cornerstone agreements for modern, trans-Atlantic business, thousands of U.S. companies are still grappling with one basic question.
The issue, of course, is the Oct. 6 ruling from the European Court of Justice that the U.S.-EU Safe Harbor Framework, in place since 2000, is invalid. The decision effectively means that personal data transferred from Europe to the United States is no longer presumed to be protected adequately—and individual EU nations can now regulate that flow of data much more vigorously, or bar it entirely.
“Companies … are now subject to investigations by individual data protection authorities to determine whether or not their programs actually protect the data that is being transferred,” says Grant Petersen, a shareholder at law firm Ogletree Deakins. Companies may also be subject to individual complaints by employees and customers and face possible enforcement actions and penalties, he says.
For the nearly 4,500 companies that self-certified under Safe Harbor principles, the decision means that they must find another adequate means to transfer personal data. “If you’re transferring data on a regular basis from the European Union and you’ve been relying on the Safe Harbor, you better get Plan B into motion,” says Cynthia Larose, chair of the privacy and security practice at law firm Mintz Levin.
The case, Schrems v. Data Protection Commissioner, began in 2013. Austrian national Maximilian Schrems complained to Ireland’s Data Protection Commission that Facebook’s Irish subsidiary was transferring his personal data to servers located in the United States and that U.S. intelligence agencies unlawfully have access to this data—an argument that arose out of the Edward Snowden revelations. (All Facebook subscribers residing in the European Union sign a contract with Facebook Ireland, giving Irish authorities jurisdiction over the case).
Ireland’s data protection authority rejected Schrems’ complaint, holding that the Safe Harbor principles adequately protected the data. Then came the appeals, ultimately leading to the ECJ’s ruling against the Safe Harbor program, and here we are.
Companies have been reviewing their other options since the ruling. One of the first steps Oracle took, for example, was to put together a cross-departmental team—legal, compliance, security, products, sales, and more—to come up with a plan of action. “All of us are involved in thinking openly about what this means for us and how we can address it,” Pedro Pavón, senior corporate counsel at Oracle, said during a recent Webcast on the subject.
“To lean back and see how things play out is not productive; you’ve got to be proactive.”
Pedro Pavón, Senior Corporate Counsel, Oracle
The first step companies should take is to map their data flows. “Analyze and catalogue and inventory your data streams,” Larose says. “Many companies don’t have a good handle on exactly what data is coming and going: Who are your service providers? What information do those service providers handle? What are you transferring to them?”
You’ll also want to contact your service providers to inquire how they intend to respond. “Lots of companies rely on service providers to move data,” Larose says. “The thorny issue for a lot of U.S. companies with EU subsidiaries is the use of a cloud-based HR information systems provider.”
Such service providers often are located in the United States, but when you’re putting personal data into a cloud-based server, that’s automatically considered a transfer under EU law. So it’s essential to ask those service providers how they intend to respond, Larose says.
Petersen suggests that if the data is not essential for the business, try to limit transfers on a “need-to-know basis.” If that’s not an option, anonymizing the data so that it cannot identify any specific person voids the need for any data privacy agreements, he says.
With the Safe Harbor no longer valid, many companies are now turning to “model contracts” that the European Commission or a national data protection authority have approved for the use of data transfers. Like the Safe Harbor principles, U.S. companies agree to be bound by EU data protection principles.
The good news: Model contracts are boilerplate clauses. That being said, some EU data protection authorities require that changes to the clauses must go through them for approval.
U.S. SAFE HARBOR DECISION
Below is a partial text of a press release issued by the European Court of Justice, declaring the European Commission’s U.S. Safe Harbor Decision invalid.
The Court states, first of all, that no provision of the directive prevents oversight by the national supervisory authorities of transfers of personal data to third countries which have been the subject of a Commission decision. Thus, even if the Commission has adopted a decision, the national supervisory authorities, when dealing with a claim, must be able to examine, with complete independence, whether the transfer of a person’s data to a third country complies with the requirements laid down by the directive. Nevertheless, the Court points out that it alone has jurisdiction to declare that an EU act, such as a Commission decision, is invalid. Consequently, where a national authority or the person who has brought the matter before the national authority considers that a Commission decision is invalid, that authority or person must be able to bring proceedings before the national courts so that they may refer the case to them Court of Justice if they too have doubts as to the validity of the Commission decision. It is thus ultimately the Court of Justice which has the task of deciding whether or not a Commission decision is valid.
The Court then investigates whether the Safe Harbor Decision is invalid. In this connection, the Court states that the Commission was required to find that the United States in fact ensures, by reason of its domestic law or its international commitments, a level of protection of fundamental rights essentially equivalent to that guaranteed within the EU under the directive read in the light of the Charter. The Court observes that the Commission did not make such a finding, but merely examined the safe harbor scheme. Without needing to establish whether that scheme ensures a level of protection essentially equivalent to that guaranteed within the EU, the Court observes that the scheme is applicable solely to the United States undertakings which adhere to it, and United States public authorities are not themselves subject to it. Furthermore, national security, public interest and law enforcement requirements of the United States prevail over the safe harbor scheme, so that United States undertakings are bound to disregard, without limitation, the protective rules laid down by that scheme where they conflict with such requirements. The United States safe harbor scheme thus enables interference, by United States public authorities, with the fundamental rights of persons, and the Commission decision does not refer either to the existence, in the United States, of rules intended to limit any such interference or to the existence of effective legal protection against the interference.
Source: The European Court of Justice.
“So long as the model contract clauses have not been altered in any way, that’s a fairly straightforward process and the data protection authorities most likely will provide approval rather quickly,” Petersen says.
Another option are Binding Corporate Rules (BCRs), where all of the company’s operating units worldwide agree to be bound by European data protection requirements. Unlike model contracts (which must be entered into by each EU subsidiary and the U.S. parent), BCRs automatically permit transfers from the European Union to any entity throughout the world within that corporate structure; so BCRs are a slightly more attractive option, Petersen says.
The process, however, is time-consuming. BCRs must be reviewed and approved by the relevant member state authority prior to enactment, and that can take as long as 18 months to implement, Petersen says.
Furthermore, large multinationals—think Oracle, Microsoft, or Salesforce—have thousands of software and cloud offerings. “Making sure that binding corporate rules apply to all those products is a complicated internal process that can take years,” Pavón said. “They’re the hardest scheme for most companies to incorporate in terms of complying with EU rules.”
Neither model contracts nor BCRs are as legally sound as the Safe Harbor principles. With both methods, people can still file legal actions against either the U.S. company or its EU subsidiary if they believe their personal data is not adequately protected.
Of all the options, right now model contracts seem to be the most feasible. “Moving servers overseas is expensive, and that’s a long-term process,” Hugo Teufel, privacy counsel for Raytheon, said during the webcast. “Binding corporate rules can also be expensive and time consuming.”
Can’t companies just obtain consent from individuals to transfer their data outside the European Union? Well, yes, but those data subjects (whether employees or customers) can refuse to sign the contract or revoke their consent at any time, “so it’s not a very stable option,” Petersen says.
Companies wondering how long until penalties start to bite also have an answer, in the form of a statement issued Oct. 16 by the Article 29 Working Group, which acts as a policy-setting body for all EU data protection agencies. “If by the end of January 2016, no appropriate solution is found with the U.S. authorities, and depending on the assessment of the transfer tools by the Working Party, EU data protection authorities are committed to take all necessary and appropriate actions, which may include coordinated enforcement actions,” the working group stated.
An even greater risk than enforcement actions are contractual arrangements, Larose says. Numerous contracts still include language representing certification under the Safe Harbor principles. Since that language is no longer valid, “what effect does that have on the contract? Does your counter-party have a right to terminate the contract?” Larose says. “That’s the bigger risk that we’re seeing right now.”
Safe Harbor 2.0
Since 2013, EU and U.S. authorities have been negotiating to draft a new data transfer and protection framework, more commonly known as “Safe Harbor 2.0.” Whatever new framework ultimately gets adopted, “it will have to respect the parameters of the ECJ’s ruling,” Andrew Gloriosa, counselor for the digital economy at the delegation of the European Union to the USA, said during a Webcast sponsored by TRUSTe.
A formal adoption date for Safe Harbor 2.0 is not yet clear, but “to lean back and sit tight and see how things play out is not productive,” Pavón said. “You’ve got to be proactive. You have to search for ways to operate and continue to do business.”
Companies should consider creating methods for consumers and employees to complain to you first about use of their personal data, before they complain to regulators, Pavón said. “Provide answers and solutions,” so that if a complaint does go before a data protection authority or regulatory agency, “at least you can demonstrate goodwill and a proactive approach to the issue.”