Death of the Safe Harbor Leaves Companies Scrambling
Need to Know...
• In a decision focused on EU concerns with U.S. surveillance activities, the ECJ struck down the framework that many companies have relied on to legally transfer the personal information of EU citizens back to the United States
• In addition to creating a compliance headache in HR- and payroll-related areas, this ruling creates an obstacle for companies investigating possible bribery, corruption, and other misconduct in EU countries
• The EU and U.S. are working to find a suitable alternative to the Safe Harbor before the grace period ends at the end of January
In a landmark decision on data protection, the European Court of Justice’s decision in Schrems v. Data Protection Commissioner last month struck down the agreement companies have relied on for 15 years to legally transfer the personal information of EU employees and customers back to the United States. In ruling that the Safe Harbor framework is now illegal, the court expressed particular concern with the ability of U.S. intelligence agencies to access personal information and found that the longstanding provision insufficiently protected EU citizens’ personal data.
This judgment affects any company relying on the Safe Harbor program to validly transfer personal data, such as payroll and HR information, across the Atlantic. It will also have an immediate impact on how companies conduct internal investigations of misconduct in the EU.
Although a brief grace period has been granted before enforcement begins, this decision will leave companies scrambling as they consider their options for legal data transfers.
Under the European Commission’s Data Protection Directive, companies that export the personal information of EU citizens are required to provide privacy protection consistent with EU standards. The Safe Harbor framework developed by the Department of Commerce and European Commission allowed U.S. companies to self-certify, subject to enforcement by the Federal Trade Commission, that they adequately complied with EU privacy standards and would protect EU data in the United States. Thousands of companies, in particular smaller companies, relied on this agreement to operate in the EU.
The Schrems case brought to a head the differing attitudes the U.S. and EU hold toward data privacy, with the latter viewing it as a fundamental right. The ECJ found that the framework was problematic because it allowed U.S. public authorities to interfere with the fundamental rights of EU citizens and did not provide individuals with administrative or judicial means of redress.
The decision also gives local data protection authorities the ability to investigate complaints regarding the transfer of data outside of the EU and suspend the transfer of data to the United States, opening the floodgates for future privacy suits in Europe.
What Does This Mean for U.S. Companies?
In addition to creating compliance headaches, this ruling creates an obstacle for companies investigating possible bribery, corruption, and other misconduct in EU countries. Companies have relied on the Safe Harbor framework to transfer whistleblower hotline information and other data to the United States for it to be reviewed, stored, and shared with government prosecutors when necessary. According to the Foreign Corrupt Practices Act and the Yates Memo, in order for a corporation to receive any cooperation credit, companies must turn over to the Department of Justice all relevant information about an individual under investigation for corporate misconduct.
In order to transfer private information, such as work emails—which are considered private in the EU—a U.S. company that does not have an alternative to Safe Harbor in place will have to ask the target of an investigation for their informed consent to do so. Even if a company did not directly rely on the Safe Harbor to bring information to the United States, it is possible they used third parties such as accounting and law firms that were certified under the Safe Harbor agreement.
The ruling, which applies to transfers that are intragroup or through the supply chain, could create a roadblock for companies engaged in litigation that rely on cross-border data transfers in their discovery. Companies must now also review all contracts that reference certification under the Safe Harbor for potential impact.
Although larger companies have often used multiple mechanisms for transferring data back to the United States, many are now struggling to determine how they will maintain the flow of data.
After the ruling, many wondered whether alternative tools for cross-border transfers would stand in light of the decision. On October 16, the European Commission’s advisory group announced that “If by the end of January 2016, no appropriate solution is found with the US authorities and depending on the assessment of the transfer tools by the Working Party, EU data protection authorities are committed to take all necessary and appropriate actions, which may include coordinated enforcement actions.” The group affirmed that Model Contracts and Binding Corporate Rules are still viable transfer tools, although these will also be assessed in light of the ECJ’s ruling.
Safe Harbor 2.0
On October 26, the EU stated it had reached an agreement in principle with the United States on a new framework. The EU and U.S. had already been discussing revisions to the Safe Harbor for two years to address cloud services, social media, and intelligence-gathering activities; the task obviously became more urgent in light of the January deadline.
Justice Commissioner Věra Jourová indicated that the agreement would include greater oversight by the Department of Commerce, more cooperation between U.S. and EU regulators, and a redress mechanism for EU citizens. Technical details remain to be worked out to ensure it fully complies with the ECJ’s ruling. Not surprisingly, one of the sticking points is the type of access U.S. intelligence agencies will have to EU data.
In a critical step toward restoring transatlantic data flows, the U.S. House of Representatives passed the Judicial Redress Act on October 20. This legislation, which now goes to the Senate, would grant foreign citizens of designated countries the same rights as U.S. citizens for judicial redress when personal information is mishandled. Although it would provide the right to sue certain agencies, it is possible that the bill will not go far enough to ease EU concerns.
The ECJ’s judgment created significant momentum in efforts to negotiate a new Safe Harbor agreement and congressional action is a step in that direction. Under a new agreement, companies would regain some certainty; however, it is likely that the EU and its privacy authorities will have greater say in how personal information is collected and stored. U.S. companies operating in the EU need to closely monitor this situation to assess the impact on their businesses.
The full Issues in Brief archive can be found here.