On Oct. 6, the 2000 international data transfer agreement known as Safe Harbor was invalidated by the highest court of the European Union (EU). Safe Harbor is a framework governing the transfer of data from the EU to the United States. Under the agreement, which was negotiated and managed by the U.S. Department of Commerce, U.S. companies that self-certify their compliance with the privacy and security principles could legally send and receive data to and from Europe. Scores of companies in the United States have built data transfer standards based on Safe Harbor and have even woven it into company data security policies and procedures.
Now the Court of Justice of the European Union (CJEU) has rendered Safe Harbor invalid based on the court’s opinion that the U.S. National Security Administration’s PRISM program (revealed by Edward Snowden in 2013) is inconsistent with EU privacy principles, jeopardizes European citizens’ data, and can expose the data to the U.S. government. The decision maintains that complying with the Safe Harbor standards doesn’t provide an adequate level of personal data security.
So for those companies that have relied on these standards so much and even those that only dabble in international data transfers: Now what?
The answer is not a simple one. Theoretically, European regulatory bodies could start enforcing the decision, but they seem unlikely to do so. Ultimately, it now boils down to the discretion of each country’s own data protection agency. Some could still abide by the Safe Harbor principles, while others might develop their own standards. The EU is working on a General Data Protection Regulation, but that’s not slated for adoption until 2017. There’s even work being done on a Safe Harbor version 2.0, which is alleged to have much stricter standards for data privacy. But, as Omer Tene, vice president of research and education for the International Association of Privacy Professionals (IAPP), said during a recent IAPP Web conference, “A Future With No US-EU Safe Harbor?”: “Don’t hold your breath.”
So, for many companies, questions remain: How do we continue to transfer data from Europe to the U.S. as is essential to our operation? How do we ensure compliance in the absence of a standard? Companies now are left to work with their attorneys and the EU data protection authorities to find a solution.
It appears that many will now rely on model contracts. The IAPP’s “Privacy Advisor” blog reports the opinion of Christopher Kuner of the law firm Wilson Sonsini Goodrich & Rosati:
“These other mechanisms aren’t invalidated,” said Kuner. Standard contractual clauses and BCRs [Binding Corporate Rules] are still viable options for organizations, but looking forward logically, he explained, you could apply the same criticisms of Safe Harbor to these alternatives. “I doubt anyone will go against BCRs at the moment,” he said, “but there are bigger, longer-term implications” for them moving forward.
Brian Hengesbaugh, a partner at Baker & McKenzie LLP, said during the IAPP Web conference that each company is a different story and should take a look at itself:
They should assess “where and how [they] rely on Safe Harbor, in terms of data that [they] receive and data that [they] send to service providers.… [Companies must] think through whether the transfer is actually necessary.” Hengesbaugh claims companies should be asking, “What are some logical ways we could look to enhance the program?” and states that this “needs to be part of a broader strategy that the company is taking to manage its risks [and] understand its risks.”
The long-term consequences of the EU ruling cannot be known. But, as security professionals, what should we do now?
- Work closely with legal professionals who specialize in privacy law. There is no clear path forward for companies that must transfer data from the EU to the U.S. As such, any action will require an analysis of potential outcomes and negotiation with the data protection authorities. Leave the legal work to professionals in this area.
- Understand any new requirements. If your organization chooses to implement contractual measures, work to understand any security principles that have been agreed to.
- Present potential compensating measures. There may be technical options to help mitigate risk. These may include reducing the amount and type of data transferred, storing only encrypted copies of the data in the U.S., further restricting access of U.S. professionals, or increasing the diligence of EU data monitoring. Technology and security professionals can aid privacy attorneys by presenting potential options for risk mitigation.
- Keep protecting data. Security experts should bear in mind that the ruling challenged data sharing, not the information security principles of the Safe Harbor standard. Therefore, during this period of uncertainty following the CJEU judgment, you should continue to protect EU data from compromise as you have been doing under Safe Harbor.