Without doubt, Tuesday’s historic decision by the Court of Justice of the European Union (CJEU) invalidating the EU-U.S. Safe Harbor Agreement has ruffled a lot of feathers in the business community, while reenergizing privacy advocates in the EU and abroad. Now that the main agreement allowing the transfer of personal data between the two regions is essentially dead, what should privacy professionals be thinking and doing? Should privacy officers expect a knock on the door from a European data protection authority (DPA) tomorrow morning?
If you’re planning what to do now, then you’re too late, said Eduardo Ustaran, CIPP/E, of Hogan Lovells. “Many have already predicted this and the necessity for a plan B,” he added during an audio conference, "A World Without Safe Harbor?," hosted by the IAPP Tuesday afternoon. Though many businesses are in limbo, Ustaran said, moving forward, companies need to assess for their most critical data transfers and deal with those first and put alternative contracts in place as soon as possible.
Could a business rely on the principles of Safe Harbor, queried moderator Omer Tene, of the IAPP, and argue to DPAs that they’ve provided adequate data protection?
“You could argue that,” said Wilson Sonsini’s Christopher Kuner, “but it would be a crap shoot. The court clearly doesn’t find the Safe Harbor principles adequate.” Some DPAs might find the principles adequate, Kuner explained, while others would not, resulting in fragmentation and uncertainty in the region.
“I think it’s important to take a deep breath,” said Brian Hengesbaugh of Baker & McKenzie, and one of the lead negotiators while at the U.S. Department of Commerce when the Safe Harbor was originally put in place.
“This is not the end of the road. The European Commission is still working with the U.S. Department of Commerce to update a new Safe Harbor agreement, and, even today, the Commission said it was pleased with the process.” He added, “If tomorrow morning you receive an enforcement action from a DPA, I really think that would be a misuse of legal authority with good faith actors.” He noted that hundreds of businesses take the Safe Harbor Agreement seriously. Hengesbaugh also warned that small- and medium-sized businesses will really feel the weight of this decision, noting that many do not have the resources to commit to attaining a Binding Corporate Rules (BCRs) contract.
“These other mechanisms aren’t invalidated,” said Kuner. Standard contractual clauses and BCRs are still viable options for organizations, but looking forward logically, he explained, you could apply the same criticisms of Safe Harbor to these alternatives. “I doubt anyone will go against BCRs at the moment,” he said, “but there are bigger, longer-term implications” for them moving forward.
For instance, who’s to say that European citizens—what Tene referred to as the “500 million Max Schrems”—won’t file a similar complaint against a Facebook in Poland to challenge one of these alternative transfer mechanisms?
“Many people are focused on the power of the DPAs,” said Kuner, “but that’s not going to be the biggest risk of enforcement.” He said the court decision has empowered individuals, and that, now, DPAs have the obligation to investigate a citizen complaint. “I think some DPAs are uncomfortable about this judgment,” he said. Some DPAs will be thought of as being too lenient on a company, while others may be perceived as being too harsh under political pressure.
“Yesterday I was excited people were focused on privacy and surveillance laws globally, but, today, I felt very sad about this decision, which is surprising,” said Center for Democracy & Technology President and CEO Nuala O’Connor, CIPP/US, CIPP/G. She said she’s never really backed the Safe Harbor Agreement, referring to it as a “creaky political vehicle” that was “limited in scope and predicated on a thin legal basis.”
But O’Connor expressed a “profound sense of loss” after today’s decision.
“There’s a significant dysfunction in the EU and U.S. dialogue on privacy and surveillance,” she explained, adding, “I don’t think anybody’s privacy is better today than yesterday.” She said the bigger issue surrounding the Safe Harbor decision revolves around government surveillance and the transfer of personal data from companies to governments—the crux of the Snowden revelations, not just in the U.S. but the EU as well—and that issue ultimately needs to be dealt with. However, “That’s a government-to-government dialogue.”
Wilson Sonsini’s Kuner agreed, saying that government surveillance is not solvable via data protection law: “It has to be a government agreement.”
“From a practical perspective, forget about Safe Harbor,” said Ustaran. Organizations do have a range of options available to them. But first, he explained, “they need to differentiate between internal transfers and external ones with service providers.” For the former, organizations can use ad hoc contracts, intragroup agreements, standard contractual clauses and BCRS. “For those companies that have been taking Safe Harbor seriously, the obvious choice moving forward is to assess to what extent their Safe Harbor compliance program could be recycled into a BCR program.”
“In my experience, there’s not a big difference between the two,” he said. Yet, for the external transfer, customers are often at the mercy of what their vendors offer and that could be problematic.
“Good cross-border transfer solutions are not made over night,” said Baker & McKenzie’s Hengesbaugh. “Get it done in a strategic way and think about how you’ll approach it,” he said, “and give the political process time to work itself out.”
“If international data transfers have been a big issue,” said Ustaran, “as of today, they are going to become a number-one issue from a compliance standpoint," warning, “We’re going to be stuck for another 20 years on data transfer restrictions.”
In deciphering the long view, Kuner expressed pessimism, asking, “What is the endgame?” He said the “EU is getting parochial in data protection,” and that he's “worried about the inward-looking, narrow view of the EU regarding data transfers.”
And what about the new, ongoing Safe Harbor negotiations between the U.S. Department of Commerce and the European Commission, what some refer to as Safe Harbor 2.0?
Kuner expressed concern that even a new agreement may not hold sway based on today’s decision. “A Safe Harbor 2.0 might not even help right now. This would have to pass muster under legal standards and they’re being set quite high.”
The CDT’s O’Connor was a bit more optimistic about today’s decision. “I hope this will spur negotiations around Safe Harbor 2.0,” she said. “It’s possible this moment today will provide an impetus for negotiators,” O’Connor noted, citing recent changes in surveillance law in the U.S., notably the USA FREEDOM Act.
“If you care about privacy, you’ll want Safe Harbor 2.0 back,” Hengesbaugh said, explaining that doing so would bring the Federal Trade Commission (FTC) back into enforcement in the U.S.
It's true, today’s decision means the FTC has lost quite a bit of authority enforcing businesses that had self-certified under Safe Harbor, but at least one of its commissioners was optimistic as well. On Twitter, FTC Commissioner Julie Brill said:
— Julie Brill (@JulieBrillFTC) October 6, 2015
Now, the questions remain, will more individuals take to legal action in the EU and will the DPAs have enough resources to deal with them?
A Brief History of Safe Harbor is available on the IAPP’s online Resource Center.
If you want to comment on this post, you need to login.