Kreller's Due Diligence Blog
Safe Harbor 2.0 - January 31st Deadline Looming
Wednesday, January 27, 2016
by Lori Galvin
January 31st is days away, leaving US businesses to wonder whether Safe Harbor 2.0 will ever become a reality, and if so, will it come in time to meet the January 31st deadline set by EU data protection authorities? While nothing is certain, it seems unlikely that Safe Harbor 2.0 will be agreed upon soon. If not Safe Harbor, then what?
On October 6, 2015, the European Court of Justice (ECJ) issued a non-appealable ruling in Schrems v Data Protection Commissioner 1 which invalidated the 15-year old Safe Harbor arrangement between the European Commission and the United States. The Safe Harbor framework, approved by the European Commission in 2000, allowed for the transfer of personally identifiable information (PII)2 from the EU to the United States. Essentially, the Court deemed that the United States’ data privacy protection of personal information was inadequate. In particular, the court believed that US regulations provided too much access for US government agencies. The Schrems case was part of the fallout from the revelations made by Edward Snowden in 2013 regarding the US National Security Agency’s (NSA) global surveillance and eavesdropping programs.
Following the court’s ruling, on October 16, 2015, EU’s Article 29 Working Party (WP29) issued a formal statement in response. The working party is an independent advisory body composed of representatives from the national data protection authorities (or DPAs) of the EU Member States, the European Data Protection Supervisor and the European Commission.
The key points from WP29 statement were the following:
To make matters more complicated, a little over a week later on October 26, Germany’s national conference of Data Protection Commissioners (DSK) published an update to their position paper in response to the ECJ ruling, further restricting data transfers. The DSK’s position was consistent with the ECJ ruling stating that transfers taking place solely under the Safe Harbor framework were illegal. They also questioned the admissibility of data transfers to the U.S. on the basis of other transfer mechanisms, such as SCCs or BCRs. They indicated that no new BCRs or data export contracts would be issued and that consent may, in certain limited circumstances, provide a legal basis for data transfers to the U.S.
- Transfers that are still taking place under the Safe Harbor framework are unlawful
- The current negotiations around a new Safe Harbor (commonly referred to as Safe Harbor 2.0) may be part of the solution
- In the interim, the WP29 will continue to review the impact of the ruling on other available mechanisms such EU Model Clauses (or Standard Contractual Clauses3 aka SCCs), Binding Corporate Rules4 (BCRs), and Derogations5 (such as individual consent, performance of a contract, legal claims and public registry/databases)
- These alternative transfer mechanisms may be subject to investigation by DPAs to protect individuals in particular cases, such as where a complaint is made.
- Lastly, it stated, “If by the end of January 2016, no appropriate solution is found with the US authorities and depending on the assessment of the transfer tools by the Working Party, EU data protection authorities are committed to take all necessary and appropriate actions, which may include coordinated enforcement actions.”
Where We are Today
Negotiations between the EU commission and US authorities regarding Safe Harbor 2.0 have been ongoing since 2013 following the Snowden revelations. According to European Commissioner, Vĕra Jourová, two of the major sticking points to reaching an agreement on a new Safe Harbor are the requirement of guarantees of effective judicial control of public authorities’ access to data for national security, law enforcement and public interest purposes and, in the event of a violation, the ability for EU citizens to enforce their rights.
In fact, one of the prerequisites that the EU set forth as an essential component to reaching a new Safe Harbor Agreement was the United States’ adoption of the Judicial Redress Act. The Judicial Redress Act would allow foreign citizens in European countries to sue the United States for unlawful disclosure of personal information obtained in connection with international law enforcement efforts. Unfortunately, the Senate Judiciary Committee delayed voting on several bills on January 21st, including the Judicial Redress Act. This will likely further stall EU/US negotiations regarding Safe Harbor 2.0.
However, according to Reuters, the United States allegedly submitted a package of proposals regarding a new Safe Harbor the week ending January 15th, which included a letter from U.S. Secretary of Commerce Penny Pritzker explaining U.S. commitments on the oversight of a possible new framework.
As of now, EU Data Protection Authorities (WP29) are scheduled to meet on February 2 in an effort to adopt a common position across the DPAs and decide if they should begin enforcement action against companies if they determine all transfer mechanisms violate EU law and there is no new framework in place.
Also Worth Considering
Another important consideration for US companies is that the draft of the new General Data Protection Regulation (GDPR) was approved on December 15, following negotiations which started back in 2012. The GDPR would replace the EU Data Protection Directive and be in the form of a regulation. As such, it will be a binding law applicable to all EU member states. Following ratification, it will go into effect two years later, which will likely be in 2018 based on the fact that the final text is expected to be approved early this year.
In addition to addressing much of the same information as was covered by the EU Data Protection Directive, some of the key points from the new GDPR are as follows:
As you can see, there are numerous and competing facets regarding the EU/US data transfer situation, making it very complex and ever evolving. What has become clear; however, is that US companies, if they haven’t already, need to review their current practices with respect to the transatlantic transfer of data and, if necessary, confer with legal counsel to create a data plan moving forward that best suits their company, both in the short term and long term.
- Substantially increased fines for violations, up to a maximum of 4% of a company’s global revenue or €20 million, whichever is higher
- Broader reach-Jurisdiction will be measured digitally, based on the location of the data subjects, meaning that companies outside of the EU will be affected by the new regulations
- Recognition of SCCs and BCRs as legitimate frameworks for transferring EU citizen data out of the EU
- Requiring companies to notify the EU government of data breaches within 72 hours of learning about the breach
- More rigorous requirements for obtaining an individual’s consent for collecting personal data
- Data subjects will be allowed to both request the transfer of data from one service provider to another and situationally terminate any personal data upon request
- Companies will only be allowed to house data for a limited time; At the end of the allotted time, the company will be required to review or erase the data
- Companies that process sensitive data on a large scale will be required to appoint a data protection officer
1 Maximillian Schrems, an Austrian resident, brought a lawsuit against Facebook Ireland (the European subsidiary of Facebook that contracts with European customers). In light of the Snowden revelations, Schrems asked that the Irish Data Protection Commissioner order Facebook Ireland to suspend the flow of personal data from the EU to the U.S..
2 Personally identifiable information (PII), as defined by the NIST, is any information about an individual that is maintained by an agency, including information that can be used to distinguish or trace an individual’s identity, such as name, social security number, date and place of birth, mother’s maiden name, or biometric records; and any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information
3Standard contractual clauses (SCCs), also referred to as model contract clauses, are a type of contract that includes specific provisions for dealing with data protection. The EU approved model contracts are blank templates which can be filled in with the pertinent organizational information. There are two types of model contracts based on whether the transfer is intra-company or between a company and an outside vendor/supplier.
4Binding Corporate Rules (BCRs) are used by multinational companies to transfer information from their entities within the European Economic Area (EEA) to their affiliates located outside of the EEA. BCRs typically take months to implement, in part because the organization must have its proposed BCRs approved by the data protection authorities in each EU jurisdiction where it operates.
5There are other derogations that allow for personal data transfers, such as 1. consent provided unambiguously to the proposed transfer; 2. the transfer is necessary for the performance of a contract; 3. the transfer is necessary or legally required on important public interest grounds 4. or related to legal claims; 5. the transfer is necessary to protect the vital interests of the data subject; and 5. the transfer is made from a public registry/database so long as the registry’s regulations are fulfilled.
Since 2007, Lori Galvin has been Vice President of Global Investigations for the Kreller Group, responsible for domestic and international due diligence investigations in over 200 jurisdictions globally. Prior to her tenure at Kreller, she conducted due diligence, corporate and workplace violence investigations and specialized in threat assessment and management for corporate investigative firms. Galvin received a B.A. in Criminology with minors in Spanish, Psychology and Political Science from Ohio University. She is a Certified Fraud Examiner (CFE) and received both the Professional Certified Investigator (ASIS) and Certified Protection Professional certifications (ASIS). She also serves on the Investigations Council for ASIS International.