In our Winter edition of OnPoint I discussed the European Union’s October 6 ruling against the Safe Harbor data-sharing agreement between the United States and Europe that had provided a legal framework for the permissible sharing of information between organizations on both continents. Since then a lot has changed, and, although nothing has been finalized yet, organizations in the United States and Europe are getting closer to having a workable solution in place for the legal transfer of European citizen data to U.S.-based servers.
Current State of Safe Harbor
Until a new agreement is formalized only alternative means exist for the legal transfer of European data to U.S. soil:
- Contractual Solutions – Organizations can use model contractual clauses approved by the European Commission.
- Binding Corporate Rules (BCRs) for Intra-Group Transfers – Internal policies adopted and formally approved by the European Data Protection Authorities.
- Derogations – Under EU Data Protection Directive 95/46/EC, data transfers are also permitted in certain circumstances when informed consent is in place (e.g., in order to book a hotel room in the U.S.).
While there have been concerns amongst U.S. organizations as to whether they could still face legal action even if these methods are adopted, one recent bright spot to come out of the void left by Safe Harbor is that the Article 29 Working Party (the body made up of representatives of individual European Member States’ data protection authorities) has agreed to suspend concerns over the legality of these methods and not block transfers of data performed under the terms of these alternative mechanisms. In essence, the WP29 is cutting U.S. organizations a break until the new agreement is ratified, so long as they are able to show that they are in compliance via one of the aforementioned methods (however, legal action is still possible if organizations choose to “wait it out” and not employ these methods).
In a November 6 press release the European Commission indicated that they hoped to conclude negotiations with the United States “within three months”; they ended up being slightly ahead of schedule. On February 2 the European Commission released another press statement indicating that the two parties had “agreed on a new framework for the transatlantic data flows.” Known as the EU-US Privacy Shield, the arrangement includes the following, more robust elements for protecting the personal data of EU citizens:
- Strong obligations on organizations handling Europeans’ personal data and robust enforcement;
- Clear safeguards and transparency obligations on U.S. government access; and
- Effective protection of EU citizens’ rights with several redress possibilities.
In addition to carrying forward many of the original provisions of the Safe Harbor agreement, the EU-US Privacy Shield introduces some new stipulations that address many of the perceived shortcomings of Safe Harbor that led to its dismissal. Included in the new agreement is a requirement that US. organizations publish their commitments, which makes them enforceable under U.S. law by the US. Federal Trade Commission. It also includes written assurances from the U.S. that clear limitations will exist for collection and storage of EU-citizen data by law enforcement and national security agencies, as well as monitoring mechanisms that give the EU the means to evaluate compliance. Lastly, alternative dispute resolution will be provided free-of-charge to those that feel their privacy has been violated, and the U.S. will appoint an ombudsman to follow up on complaints regarding government surveillance of Europeans.
Although the European Commission believes that the agreement is “watertight”, some privacy advocates believe that the agreement still does not have the teeth to address the underlying concerns that led to the initial dismissal: U.S. government data collection and surveillance. While the ombudsman appointed to oversee U.S. intelligence agency data collection is responsible for reporting back to the Commission regarding compliance, they are under no obligation to actually say whether a particular citizen is under surveillance or, if a remedy has been applied to correct illegal surveillance, what that remedy entailed.
What’s Next for U.S. Organizations?
Until the new agreement is ratified, U.S. organizations must still use the three alternative means for legal data transfer with the European Union. Although it is still possible that the agreement gets amended or not adopted at all, it is best to be prepared in the likely event that it does.
If the agreement does get approved, U.S. organizations will have to take several steps to comply with the principles set forth (full details of the principles can be found in the complete text of the 128-page agreement that is available for download from the U.S. Department of Commerce’s web site). The Department of Commerce will certify compliance if organizations comply with four requirements:
- The organization must fall under the enforcement authority of the FTC or another U.S. agency that can enforce compliance;
- It must publicize its commitment to adhere to the Privacy Shield principles;
- It must implement the Privacy Shield principles.
An organization seeking certification with the Department of Commerce must provide a detailed description of its activities involving EU residents’ personal data and its related privacy policies. The certification application must be signed by a corporate officer and renewed annually.
The EU has not set a deadline by which they hope to ratify the agreement. Therefore, if your organization has been impacted by Safe Harbor, it is best to take the following steps to ensure legal compliance:
- In the interim, ensure that data transfers with the EU are legal by utilizing one or more of the alternative means accepted by WP29.
- Familiarize yourself with the policies set forth in the new Privacy Shield to determine if any internal changes need to be made in order to comply with the new provisions.
- Make the necessary changes to internal policies and procedures to comply with the new provisions.
Chris Debo is a Senior Manager in our Columbus Technology Advisory practice and an adjunct professor of Management Information Systems at The Ohio State University’s Fisher College of Business. He can be reached by phone at 614-586-7108.