The Not So Safe - 'Safe Harbour Scheme'

More than a month after the ‘Schrems – v – Facebook’ (2015) judgment of the Court of Justice of the European Union (CJEU) declared the Safe Harbour Agreement invalid, the transfer of personal data from the EU to the USA is still not being adequately protected.

Some background

Back in 2000 a Safe Harbour Program was established in order to enable the safe and protected transfer of personal data from the EU to US. EU privacy laws have restricted the transfer of inadequately protected and measured personal data outside the EU.

The programme represents a self-regulatory scheme created by the European Commission and the US Department of Commerce, to overcome the existing restriction in EU privacy laws and more particularly to comply with EU privacy laws and provide adequate protection when data is being transferred from the EU to US.

It was considered that each US company participating in the Safe Harbour Scheme is safe for EU companies to do business with in terms of safe transfer of personal data.

The 6th October 2015 Court decision of the ‘Schrems – v – Facebook’ (2015) changed the whole scenario in the “safety” net. It was held that the Scheme is not valid and it does not give adequate protection of safe transfer of personal data. The decision lead to chaos and opened Pandora's Box as far as the legal world was concerned. So some of the logical questions that followed were:

  1. What’s next?
  2. How do we protect ourselves?
  3. How is that decision being applied to other similar Safe Harbour Schemes?
  4. What is the CJEU doing?

Luckily there are a few alternatives that currently limit access through the legal abyss created by the Safe Harbour Scheme's inadequacies. Businesses are able to use these as a short term fix but they aren’t guaranteed and they certainly aren’t the solution.

There are a few alternative options that we'll explain below:

The EU module clauses contract

Quite simply, this represents a template approved by the EU commission which incorporates all the rules that need following in order that a business be considered to have adequate data transfer protection.  For increased safety it is preferable those clauses remain just as suggested in the template, because the Commission has implemented all the necessary conditions, which cover the wide range of privacy laws, so it provides good protection guidance. However, the clause contract does not and cannot promise a 100% protection, nor can it stop US authorities bypassing these constraints to access the information they need/want.

Unfortunately, US legislature is different than European legislature, and the difference is profound. US laws allow for the large scale collection of personal data without effective judicial control. To add insult to injury, the public authorities in the US are not subject to Safe Harbour and US entities are bound to disregard the protective measures contained in Safe Harbour where they conflict with US law enforcement, national security or public interests.

Mutual Agreement

If the concerned parties wish so, they can sign a mutual agreement which will cover the “safe” data transfer, which again gives an EU company slightly better protection than the alternative of none. It is highly risky though as either party might miss something of great importance and that can result in unprecedented, long term damage.

BCR Scheme

Another option is the Binding Corporate Rules (BCR) scheme that offers a safe area that enables multiple transfers within group companies, which are utilizing the recognition system. This is highly likely to be implemented in the new Regulation in the EU in 2016, but in the meantime a guidance of use for Model Clause and Binding Corporate Rules has been issued.

The statement emphasizes the unlawful nature of the Safe Harbour Scheme, stating specifically that ‘ “If by the end of January 2016, no appropriate solution is found with the US authorities and depending on the assessment of the transfer tools by the Working Party, EU data protection authorities are committed to take all necessary and appropriate actions, which may include coordinated enforcement actions .” Or in other words there is a deadline for finding a solution to the Safe Harbor problem.

Consequences

The consequences for companies that transfer personal data from the EU to the US, whether intra-Group or to third parties, are as follows:

  • If your business is Safe Harbor certified, or it transfers EU personal data to a US company using Safe Harbor, you will need to consider adopting alternative solutions immediately. These may include, for example, the Model Clauses or BCRs.
  • If your company transfers EU personal data to the US using the Model Clauses or BCRs, you should be aware that these mechanisms may also be found to raise many of the same concerns that caused the CJEU to invalidate the Safe Harbor program; however, for the time being, the WP29 Statement would appear to mitigate the compliance risks arising from reliance on these measures.
  • Businesses should take stock of their data protection and data transfer practices in order to ensure that their practices conform to the commitments that they undertake pursuant to the Model Clauses or BCRs, and should consider ways of addressing compliance risks if the January 2016 deadline for concluding the Safe Harbor negotiations is not met.

Global Perspective

The next question to consider, is what about the Safe Harbor Scheme (Canada)? How is that affected by the recent Court decision? At the moment the Canadian Scheme is still deemed to be valid. But of course the same questions have aroused as in the Schrems’ case. It is a matter of time, according to many legal critics that this Scheme will be deemed as no longer an adequate protection provider. The EU commission is working on a whole piece of legislation that will hopefully be applied to all other Schemes too.

If we look at Israel, which recently has become known for its massive impact on the Digital Market, their ILTA (Israeli Law Information and Technology Agency) has stated that according to their laws it is prohibited to transfer personal data without adequate protection. Now after the 6th October decision they are also facing the same problem as all the EU countries. They also refer to EU Model Clauses, but they consider that even this can not be adequate protection. According to Israeli Law, companies should consider other alternatives such as strong encryption, change of server location and individual consents.

Resolution

If we look at this issue from a global perspective, it’s easy to see how widespread the effects are. All businesses involved are being forced to fall back on a plan B, which although doing the job of plugging a hole right now, won’t provide full and adequate protection. While everyone involved is doing their best to be understandable during this time of instability, and rely on good faith and good business practice between partners, they’re also waiting to hear some good news in January 2016. The hope is that by then, a new unified decision will be implemented and held valid for all those affected.