In a recent blog post, we referred to the now defunct EU-US Safe Harbor framework as a house of straw, while comparing the European Commission (EC) Model Clauses (the theoretical replacement) to a house of sticks – better, perhaps, but still vulnerable to wolf-force winds.
It turns out we are not the only ones falling back on children’s story analogies. In a webinar last week, a prominent privacy lawyer from DLA Piper stated that “it will take a while to put Humpty Dumpty back together again” implying that Model Clauses were not going to instantly fix a fractured EU data privacy system.
While cloud vendors including Google, Salesforce and Microsoft have rushed to offer customers amended contracts with Model Clauses, there is increasing evidence that this approach will not be acceptable to many of the EU data protection authorities (DPAs) as a simple replacement for Safe Harbor. Initial statements from a number of DPAs highlight how fragmented and subjective European data protection has become:
- The Austrian DPA initially stated that it would accept EC Model Clauses as basis for transfers of personal data to the US. Subsequently it clarified that the DPA would still have to approve specific transfers based on Model Clauses.
- Authorities in Spain have opposed the idea that EU Model Clauses could be used as the sole basis for exporting data to the US.
- One of seventeen German regional DPAs (in Schleswig-Holstein) announced its view that because of the European Court of Justice (ECJ) decision, data transfers based on the EU Model Clauses are not permitted anymore.
- The UK ICO issued a statement that businesses will need to review how data is transferred to the US but “we recognise that it will take them some time for them to do this.”
- DPAs in Ireland, France, Italy, Netherlands, Belgium, and Portugal have issued statements that they are studying the issue and hope for a “shared position” from authorities across Europe.
The core debate is that the ECJ decision striking down Safe Harbor was based largely on the Snowden revelations regarding NSA programs. While the EC Model Clauses provide clearer jurisdiction for EU DPAs, they still make exceptions for “legally binding law enforcement requests” which could still include compelled disclosure to government agencies.
So what should multi-national businesses do with all this uncertainty?
- You could stop using the cloud or transferring data across the Atlantic. That might make the DPAs happy, but it’s unlikely to be practical, sustainable, or make business sense.
- You can ignore the issue, wait for the dust to settle, and hope a new blanket Safe Harbor replacement is agreed upon. That may take a while, and privacy advocates like Max Schrem now have the green light to challenge other data transfers.
- You can take proactive steps to reduce you exposure by anonymizing sensitive personal data before it leaves a country. Many of our customers have taken this approach using a Cloud Access Security Broker (CASB) to encrypt or tokenize sensitive data and are confident they can avoid this legal quagmire.