The world’s modern economy is largely based on free trade, with goods moving easily between countries. With the development of the Internet, the free movement of information has become crucial to business as well. Thousands of American companies share data with European partners, but the smooth flow of information is complicated by the two continents’ differing perspectives on data privacy. In the United States, privacy is largely seen as a consumer protection issue; the EU treats it as a fundamental human right.
The EU-US Safe Harbor agreement made it possible for US companies to receive data from across the Atlantic and satisfy European privacy principles. Now that agreement has been invalidated, and companies need to find new ways to ensure data will be adequately protected—for most businesses, stopping the exchange of data isn’t feasible, let alone desirable. Here’s a look at how we got here and practical solutions for moving forward.
Consensus on Privacy (1990-1999)
The Internet was just beginning to become popular during the ’90s; only 20 million Americans were online by the middle of the decade. Positions on data privacy also began developing at that time.
In the United States, President Clinton signed the Health Insurance Portability and Accountability Act (HIPAA) in 1996; Federal rules regarding privacy of financial information were part of the 1999 Gramm-Leach-Billey Act (GLBA). State laws requiring public breach notification started in California and now apply in 48 states. While the US has strong privacy laws, they have evolved for specific industries or at the state level, and there’s no broad nationwide mandate for privacy.
Across the Atlantic, the Data Protection Directive of 1995 created standards that applied to data exchange among European states; this was needed because the unique rules of each country were hindering intra-European trade. When the directive took effect in 1998, it restricted the exchange of personal data with non-European states that lacked similar strict privacy rules.
Collaboration Across the Atlantic (2000)
Because the EU viewed American data protection laws as inadequate, the Data Protection Directive made it difficult to transfer data from Europe to the United States. The US-EU Safe Harbor agreement was developed to enable data sharing between European and American businesses and ensure that they complied with European standards. Without this framework, companies needed to make sure their processes satisfied the rules of each country’s individual data protection authority.
At a high level, the Safe Harbor rules require companies to inform people about the collection and use of personal data and keep it secure. Companies that gather information can be held accountable for adhering to the framework’s requirements. By going through Safe Harbor self-certification, companies eliminated the need to obtain separate authorization for data transfer from individual European countries.
Cracks in the System (2013-2015)
Safe Harbor was designed to alleviate European concerns about American privacy laws, but trust was greatly reduced in 2013 when Edward Snowden revealed the extent of American spy agencies’ access to telecommunications and Internet data. The broad surveillance, which included spying on European government leaders, made many Europeans doubt their personal data was secure when it crossed the Atlantic.
Near the end of 2013, following these revelations, the European Commission expressed criticism of Safe Harbor. The commission expressed concern about privacy policies, how they were applied by American companies, and how effectively Safe Harbor was being enforced.
Collapse of Trust (October 2015)
The system completely fell apart on October 6, 2015 when the European Court of Justice (ECJ) ruled that EU Safe Harbor was not adequate due to access granted to American law enforcement and the lack of legal recourse for Europeans who felt their privacy was violated in the U.S.
The case was based on a legal challenge from an Austrian citizen, Max Schrems, who claimed his privacy rights were violated by Facebook. When this case reached the ECJ, many were surprised by the emphatic verdict that threw out Safe Harbor and reinforced the power of 28 separate EU Data Privacy Authorities (DPAs).
Cooperation to Rebuild (2015 onwards)
As a result of the court’s decision, Safe Harbor is no longer valid – effective immediately. Negotiations on a new agreement, which started after the European Commission’s report in 2013, are still ongoing. Because there isn’t an overarching European standard any more, companies will need to make sure they satisfy the rules of the member states.
There’s no clear guidance of how to do that yet. The Department of Commerce is continuing the Safe Harbor self-certification program, although there’s no longer any real point to it. There are a few other options companies can use, but each has benefits and limitations:
- Seeking User Consent to transfer data seems like a good idea. However, in many EU countries users cannot legally waive their rights to privacy.
- EU Model Clauses have been adopted by many companies as a temporary fix, but they raise significant new concerns about jurisdiction and enforceability. They may not be any more acceptable to EU nations than the Safe Harbor policies.
- Adopting Binding Corporate Rules is also a possible option but they are very time consuming and expensive to implement, making them impractical for many businesses.
- Waiting for a new Safe Harbor – negotiators have claimed they are close to a new agreement, but it won’t likely give the blanket immunity of the previous framework. Individual DPAs are likely to insist that they still have the authority to challenge violations of individual businesses.
- Anonymizing data remains one of the best ways to reduce the scope of data being transferred and eliminate many of the legal risks. Encryption or tokenization of private data are effective technologies, but businesses need a clear understanding of exactly what type of data should be protected.
Visit our US-EU Safe Harbor Resource Center to learn more about what the change to Safe Harbor means and how you can continue to satisfy European regulations and access the data your business needs.