The Safe Harbor
For 15 years, the Safe Harbor Framework has provided a way for U.S. companies to comply with the EU Data Protection Directive. Under the directive, transfers of personal data from the EU to a non-EU country are prohibited unless the receiving country can assure an adequate level of protection for the data. While a number of countries do comply – among them Andorra, Argentina, Canada, Faroe Islands, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay – the United States does not. The Safe Harbor Framework was developed by the United States Department of Commerce and the European Commission as a mechanism to address the EU law’s adequacy standard. U.S. businesses voluntarily participate in the Framework and thereby comply with its terms.
Implications of the Decision
While the headlines are stark, the implications of the decision are unclear. It is generally understood that companies currently operating under the Safe Harbor Framework may be subject to claims that data transfers are unlawful under the EU laws and subject to suspension of data transfers by EU Member State data protection authorities. Whether EU Member State data protection authorities proceed or respond to complaints, or whether companies will be given a grace period to effectuate changes, is not clear.
There also remain a variety of different ways U.S. companies can meet EU privacy requirements, such as “Binding Corporate Rules” (BCRs), which are contractual mechanisms for ensuring compliance which also may not protect against intelligence surveillance activities. These methods are, however, unwieldy and expensive to implement.
The decision also comes at a time when the United States and European Commission are working on improvements to the current structure, as well as the pending implementation of a new regulatory regime for privacy in the EU that will replace the existing Privacy Directive.
What to Do
We advise companies to take action now to meet compliance requirements. Among other things, U.S. companies that transfer data from the EU should consider:
- Assessing the nature and scope of the organization’s reliance on the Safe Harbor Framework for data transfers.
- Analyzing whether alternative mechanisms for data transfer compliance.
- Determining whether containment of all or some data within the EU is feasible.
- Assessing contractual commitments based on Safe Harbor compliance and determining whether other contractual terms can be inserted (e.g., BCRs).
Finally, we suggest that our clients take this opportunity to review their privacy and security policies, procedures and technology – regardless of the existence or lack of the Safe Harbor, and whether or not there are other compliance mechanisms, a company that has implemented effective privacy and security controls will be in a better position to meet the demands of the future.
Robert E. Braun is a corporate lawyer and the co-chair of the Cybersecurity and Privacy Group at Jeffer Mangels Butler & Mitchell LLP in Los Angeles. He and his team represent clients in a wide range of industries, covering all substantive areas of data security and privacy including information technology, financial, health, employment and personal privacy, litigation and technology transactions. He is experienced in a full range of cybersecurity and privacy matters including data breach issues, development of security incident response plans, crisis management, development of data security and retention policies, forensic investigations of information systems, internal investigations and audits, and internet privacy matters. Contact Bob at RBraun@jmbm.com or +1.310.785.5331.