Safe Harbor Alternatives

With the invalidation of Safe Harbor by the European Court of Justice, companies are looking to alternative mechanisms for EU-U.S. data transfers. Before the court decision, more than 4,000 companies relied on Safe Harbor, including many small and medium sized businesses as well as EU-based businesses.

As a result of the Snowden revelations and ensuing public debate, the European Commision issued 13 recommendations for improving Safe Harbor in November 2013. For the past two years, U.S. and EU governments have been working together to negotiate a strengthened Safe Harbor framework based on these recommendations. In the meantime, the European Commission identified three primary alternative mechanisms remain for affecting data transfers from the EU to the U.S.: Binding Corporate Rules (BCRs), model or standard contract clauses and specific derogations in the Data Protection Directive. According to the latest tally, only 70 companies had gone through the process of approving BCRs.

In its statement last month, the Article 29 Working Party stressed that existing transfer tools are not the long-term solution to the issue, as they too are potentially impacted by the court’s decision. Indeed, the data proteciton authority (DPA) for the German state of Schleswig-Holstein issued a position paper stating the court’s reasoning likely invalidates alternative transfer methods such as model clauses and consent. The Article 29 Working Party clarified, however, that for an interim grace period ending January 31, 2016, DPAs consider that existing data transfer alternatives to Safe Harbor can still be used, subject to a case-by-case analysis by DPAs. The Article 29 Working Party further clarified that, effective immediately, transfers taking place under Safe Harbor are unlawful.

In light of these uncertainties, companies should take a risk-management approach to selecting an alternative mechanism to Safe Harbor, considering a number of factors, including the types of data transferred, organization data flows, locations of servers and corporate entities, ownership of subsidiaries, short-term and long-term costs associated with mechansims and the time required to implement a mechanism. Companies may also choose to implement multiple alternatives, such as adoption of model clauses for the interim while pursuing BCRs for the long term. Such a choice may feel like choosing the least worst option. For example, model clauses are especially difficult for cloud computing companies to implement off the rack because of tough audit and subcontracting provisions, but using amended model clauses or independent intercompany contractual agreements is not preapproved by the EU. Despite these challenges, Google’s cloud platform service and Microsoft’s enterprise cloud service announced their plans to use standard model clauses as part of their alternative transfer plan after the ruling.

The following infographic outlines the various mechanisms, who they fit best and some of their advantages and disadvantages.

  • Mechanisms

      Binding Corporate Rules

    • Legally binding internal corporate privacy rules for transferring personal information within a corporate group. BCRs must be approved by the EU data protection authorities of the member states in which the corporation operates.
    • Standard Model Clauses

    • Standard language contract clauses, which can be inserted into contracts with data controllers/processers to meet European Commission adequacy requirements. NOTE: Any amendment to the clauses would cause them to fail regulatory standards.
    • Derogations in the law

    • The derogations are explicitly stated in the Directive, including:

      Unambiguous consent;

      When transfer is necessary for the performance of a contract;

      When transfer is necessary or legally required on important public-interest grounds or for the establishment, exercise or defense of legal claims;

      When transfer is necessary to protect the vital interests of the data subject.

  • Who it is best suited for

      Binding Corporate Rules

    • Intra-group data transfers

      Large companies with time, money and resources

      Companies making significant numbers of data transfers from the EU

    • Standard Model Clauses

    • Global companies that manage HR in the U.S.

      Smaller companies that cannot afford BCRs

      Organizations needing a short- to midterm solution until BCR implementation can be completed

      Organizations needing one-off data transfers

    • Derogations in the law

    • Extremely limited use

      When “necessary” and there are no other options available

      B2C websites targeting discrete transactions by EU consumers

  • Advantages & disadvantages

      Binding Corporate Rules

    • Less administrative burden than other options
    • Once implemented are less costly
    • More flexible than other options
    • Foment direct relationship with DPAs
    • Mutual-recognition process adopted by 21 of 28 member states
    • Encourage implementation of privacy program
    • Can be tailored to internal culture and processes
    • Explicitly compatible with Asia-Pacific Cross Border Privacy Rules
    • Good long-term solution for intra-group transfers
    • Time intensive process (12-18 months to put in place)
    • Costly to implement (may cost $1 million)
    • Only cover transfers within a corporate group
    • Validity called into doubt by ECJ decision
    • Standard Model Clauses

    • Quick and easy to adopt
    • Freely available
    • Cost-efficient
    • Level of certainty for compliance if not amended
    • Preapproved by European Commission
    • Although not explicitly approved by the EU, entities may be able to be grouped through power of attorney or other mechanisms to limit the number of contracts necessary for transfers
    • Non-negotiable/amendable
    • Contain strict subcontracting controls
    • Filing/approval requirements vary among EU member states
    • Lacks liability limitations
    • Contracts can be directly enforced by data subjects
    • Clauses sometimes exceed the obligations of the Directive
    • Not business-friendly
    • Need an agreement for every entity exchanging the data and for each export of data
    • Need to be changed over time to account for new data transfers/transactions/entities
    • Validity called into doubt by ECJ decision
    • Derogations in the law

    • Explicitly stated in the Directive.
    • Interpreted restrictively
    • Limited Application
    • Should be used very sparingly and should not be used for regular or routine data transfers
    • Considered to be an exception to the Directive, not a stable solution
    • Narrow and specific requirements for consent are difficult to meet, particularly in the context of employee data

IAPP Resources