What the end of Safe Harbor means for the digital economy
After a European court invalidated the Safe Harbor pact that allowed US companies to transfer Europeans' data across the Atlantic, both sides have struggled to reach a new deal by the end of January. But experts doubt an alternative will emerge by the deadline.
When the European Union Court of Justice ruled last October to invalidate a pact used by thousands of American companies to transfer Europeans' personal information stateside, the data protection authority in Brussels set a January deadline for both sides to reach a new agreement.
But with that deadline looming – and no clear alternatives to the US-EU Safe Harbor agreement in place – American firms handling data about EU citizens have just weeks to figure out how to comply with European data privacy laws.
The Article 29 Working Group, which advises EU data protection authorities (DPAs), has said that after Jan. 31 companies that cannot comply with privacy rules could face enforcement action.
It's not clear what form that action might take or even if the various DPAs will crack down on anything other than egregious violations. Authorities in Germany and France have indicated they plan to start investigating data flows between the EU and US after Jan 31.
For now, according to legal and privacy experts, companies should begin planning for the possibility that no alternative to Safe Harbor will emerge by the deadline.
"The question is, on February 1, assuming there is no extension of this abeyance period and there is no Safe Harbor 2.0, will all the companies be in violation of foreign data privacy law?" asked Bart Lazar, a privacy attorney with law firm Seyfarth Shaw in Chicago. "What will happen as a result?"
US companies have used the US-EU Safe Harbor pact since 2000 to certify their compliance with EU data privacy requirements when transferring data, such as the personnel records of EU employees or private EU consumer data, to the US.
The agreement, developed by the US Department of Commerce in collaboration with the European Commission was designed to assure data privacy authorities in EU countries that data on their citizens was being protected in accordance with their privacy standards. It eliminated the need for companies to individually notify EU authorities of their privacy controls and get them approved.
Some 4,500 US companies, including Microsoft, Google and Facebook have used Safe Harbor to transfer EU data to their US systems. However, last October, in response to a lawsuit filed by Austrian Internet activist Max Schrems over Facebook's data transfer practices, the European Court of Justice decided Safe Harbor was not sufficient to guarantee the privacy of EU data. In its ruling, the Court held that Safe Harbor did not specifically prevent US companies from allowing the government to access data on EU residents stored on servers in the US.
Since then, US authorities and the European Commission have been working on developing a more acceptable version of the pact, informally dubbed Safe Harbor 2.0. The updated pact was expected to be struck before Jan. 31, but so far there is little indication that will happen.
EU leaders expect any new agreement to include new limits on US authorities when it comes to accessing Europeans' data, EU Justice Commissioner Vera Jourova said at a conference in Brussels this week.
"We need guarantees that there is effective judicial control of public authorities' access to data for national security, law enforcement and public interest purposes," said Ms. Jourova, according to Reuters.
But until both sides work out an acceptable deal, a majority of US companies that relied on Safe Harbor appear to be waiting for the new pact while also looking at other options.
"While everyone hopes something will be forthcoming this month, organizations are moving ahead with putting in place alternative mechanisms," said Miriam Wugmeister, an attorney specializing in privacy and data security laws with Morrison Foerster. "This will severely undercut the usefulness of Safe Harbor 2.0 because many organizations will have put alternatives in place."
A study of 248 US companies conducted by the Internet privacy firm TRUSTe showed 78 percent of firms were still using Safe Harbor while holding out for a new pact by the end of January.
"The data shows there’s clearly a subset of companies that, if a Safe Harbor 2.0 doesn’t come along soon, are going to be out of compliance," said Dave Deasy, vice president of marketing at TRUSTe.
However, many are hedging their bets.
TRUSTe found that slightly more than half of the US companies that used Safe Harbor are also using or preparing to use so-called "model contract clauses" in their contracts with European partners and clients.
The model clauses, also referred to as standardized clauses, contain language approved by the European Commission that is sufficiently binding for use in cross-border transfers from the EU, Mr. Deasy said. Model clauses are especially useful for companies transferring HR and personnel data to the US, Deasy added.
"If you add this in your contract relating to how you collect and process data, it is deemed to be a legally viable way of saying how you handle data," Deasy said. "The key is they are nonnegotiable. They are not open to interpretation."
Among other things, the clauses ensure that EU citizens have the right to seek redress from American companies in situations where their data might have been mishandled. The clauses also required US firms to agree to be subject to EU jurisdiction in those circumstances, Mr. Lazar of Seyfarth Shaw added.
Companies that haven’t already included it in their contract language should consider doing so, he said. Regardless of what transpires after the end of this month, Lazar said, US organizations should be reviewing their practices with regard to handling EU data. "We don't know if the period of abeyance will continue."
This story was updated after publication to correct the name of Bart Lazar, privacy attorney with Seyfarth Shaw law firm.