In the aftermath of disclosures of the extent of U.S. government monitoring of private communications, the European Commission is currently considering changes in the U.S.-EU Safe Harbor framework. The EU and its member states already have some of the strictest data privacy laws in the world. Under current EU law transfer of personal data the United States is generally prohibited because the United States fails to meet the EU “adequacy” standard for privacy protection. Current law provides a “Safe Harbor” in cases where the U.S. recipient of data can certify to the U.S. Department of Commerce that it meets the privacy requirements set up under the U.S.-EU Safe Harbor Framework. Such certification now allows the transfer of personal data.But in light of newly-disclosed privacy threats such as the surveillance program of the U.S. National Security Agency, (NSA),the European Commission has proposed several changes to the US-EU Safe Harbor program, including the following:
- The Safe Harbor must become more transparent;
- The program must be revised to contain an alternative dispute resolution procedure;
- Compliance with the Safe Harbor must be more actively enforced and audited by the U.S. Department of Commerce; and,
- U.S. authorities must make clearer the circumstances under which they will gain access to EU personal data processed by a Safe Harbor self-certified company.
If these recommendations are all implemented, they will increase the compliance burden on companies participating in the Safe Harbor (“Safe Harbor Company”) with respect to the personal data of their EU-based employees and customers. In particular, a Safe Harbor Company would be required to do the following things to comply:
- publish its privacy policies, and its website privacy policies would need to include a link to the Department of Commerce’s Safe Harbor List;
- publish the privacy provisions of contracts with any subcontractors (e.g., for cloud computing services);
- notify the Department of Commerce of onward transfers of personal data;
- offer an alternative dispute resolution system to EU citizens in its privacy policy and include a link to the ADR provider;
- be subject to regular external audits by the Department of Commerce to assess its actual compliance with the Safe Harbor principles and its privacy policies; and
- provide a sufficient description of U.S. laws requiring disclosure of personal data, how U.S. authorities may use those laws to gain access to EU personal data, and how a Safe Harbor Company would make exceptions to the Safe Harbor principles for U.S. national security, public interest or law enforcement requirements.
U.S. industry has been preparing comments to the European Commission about these recommendations. The industry is and are challenging, in particular, the recommendations requiring (i) disclosure of the privacy provisions of contracts with subcontractors, (ii) describing the extent to which U.S. law allows public authorities to subpoena data, and (iii) indicating when U.S. companies would apply a national security or law enforcement exemption.
Meanwhile, the European Parliament recently passed a resolution responding to the NSA’s surveillance program. Among other things, the resolution calls for suspending the Safe Harbor immediately, alleging it does not adequately protect European citizens. However, the European Parliament’s resolution does not have immediate consequences for the validity of the Safe Harbor. The underlying agreements relating to the Safe Harbor were entered into by the European Commission, and the European Commission alone is in a position to formally renegotiate the agreement. However, the resolution is an indication of the tremendous political pressure on the European Commission to implement changes to the Safe Harbor.
Given the great political sensitivity of these issues in the EU, it would be prudent for Safe Harbor Companies to begin initial planning for the contingency that some or all of these recommendations will be implemented. The proposed changes are significant and some companies may even question whether the cost of implementation and the monitoring of how personal data from the EU is transferred and handled will be worth continued participation in the Safe Harbor. Alternative options for international personal data transfer compliance would be to use the EU’s model contracts or Binding Corporate Rules.
A Joint Statement released following the US-EU summit last month committed both parties “to strengthening the Safe Harbor Framework in a comprehensive manner by summer 2014”. Attorneys in Sheppard Mullin’s data privacy practice will continue monitoring the situation and provide updates as circumstances warrant.