The Internet makes sending data from the EU to US easy. Making that data transfer compliant, well, that’s not so simple. The data protection laws differ among the EU member states, and getting approval from each nation’s Data Protection Authority (DPA) could be time consuming and complex. That’s where the EU Safe Harbor agreement came in; companies that self-certified for Safe Harbor could transfer data without getting all those individual Data Protection Agencies (DPAs).
Unfortunately, that scheme fell apart when the European Court of Justice ruled in October 2015 that Safe Harbor wasn’t valid. As a result, it’s no longer clear to companies what they need to do to be compliant with European data protection laws when moving data to the US.
The Immediate Effect
Unfortunately, there isn’t a lot of guidance for companies right now. The one thing that is clear is that companies can’t solely rely on Safe Harbor.
Each of the European DPAs (there are 28, more if you count the 17 “sub-DPAs” in Germany) can now make its own analysis regarding the adequacy of the steps any company takes when transferring data out of its jurisdiction.
This doesn’t mean companies can no longer transfer data, but there’s no guarantee that any measures companies take will be approved. There’s also no indication on what kinds of potential damages companies might face if their measures were deemed insufficient.
There are alternatives to Safe Harbor that companies can adopt, mainly model contract clauses and binding corporate rules. These measures have problems, though; they can be complicated and expensive to implement. Worse, it looks like those may not stand up to European scrutiny in the post-Safe Harbor environment. German DPAs have already said they aren’t acceptable and won’t authorize any transfers based on these measures.
Safe Harbor 2.0 is Coming Soon—Maybe
The good news is that the EU and US were already negotiating a new Safe Harbor framework before the court rendered its decision, after Edward Snowden’s revelations of NSA capabilities raised concerns. The EU’s regulators set a deadline of the end of January 2016 to reach a new agreement, and they aren’t planning widespread action before then. Even better news is that the European Justice Commissioner has said an agreement in principle has been reached.
The not-so-good news is that that experience indicates this kind of negotiated agreement takes time to be finalized and approved. Those “in the know” whisper that it will take six months or longer for a new framework to be completed. One sticking point, giving European citizens the right to redress in American courts, requires Congressional action. Other court cases may complicate reaching an agreement that satisfies European data privacy concerns, including an ongoing case in the US that will decide whether US authorities can subpoena data Microsoft houses on a server in Ireland.
Agreement or No Agreement Think Beyond Safe Harbor 2.0
Waiting for the negotiations to complete will put companies at risk; based on the European court’s decision, the DPAs have the authority to act on individual complaints immediately, even before the planned January enforcement date.
While there are currently no clear guidelines, companies will need to be able to show they’re taking steps outside Safe Harbor to meet European data privacy concerns. This means researching the alternatives of model contract clauses, binding corporate rules, and other consents to data transfers, plus identifying sensitive data flows to other firms once the data reaches the US. Firms need to find out what their cloud providers are doing with their partners, too.
Encrypting and tokenizing data is a technical solution that companies should consider beyond any legal frameworks for compliant data transfers It doesn’t give legal authority to transfer data, but it means that transferred data is protected from unauthorized access and in many jurisdictions data that is rendered indecipherable (primarily via tokenization) is considered to meet an individuals reasonable expectation of privacy. And under a proposed new EU data protection law encrypted and tokenized data would be exempt from data loss notification. Ensuring any data transfer companies are currently conducting will be exempt from disclosure in the event of a breach goes a long way to limiting the risk associated with these transfers.
Expect More Changes Long Term
Even if a Safe Harbor 2.0 agreement is approved by the EU Commission, it’s uncertain whether it will satisfy the European Court. Some believe U.S. law simply isn’t compatible with the kinds of guarantees the Europeans require.
Microsoft is attempting to protect some of its data through a new model, where a European company serves as “trustee” for the data. It’s unclear whether this approach will be effective. Through their president and chief legal office, Microsoft has also called for a completely new privacy framework to be developed. The privacy laws governing data transfer come from the 1980s, literally a different century, when the Internet was brand new and widespread transfer of data was barely envisioned, let alone necessary.
Get Started with These Helpful Resources
Until a 21st-century data protection framework is developed, companies will have to take proactive steps to prepare for whatever form the 20th-century Safe Harbor agreement takes going forward. Check out our on-demand webinar and our EU Safe Harbor resource center to learn more about what you need to do now.