Two decades ago, the European Union passed a sweeping Data Protection Directive (DPD) that revolutionized the world...
of privacy by affording citizens unprecedented rights. Companies around the world scrambled to implement protections that complied with the DPD.
In October 2015, almost two decades to the day after its approval, European courts responded to the Edward Snowden disclosures of NSA surveillance by striking down the Safe Harbor agreement provision of the DPD. This decision will have a significant impact on international organizations doing business in the EU.
What is the Safe Harbor agreement?
The DPD provides EU citizens with one of the strongest data privacy regimes in the world. Companies that do business in Europe must take aggressive steps to ensure they obey the seven principles of the DPD: notice, purpose, consent, security, disclosure, access and accountability. The DPD also includes protections that restrict the transfer of personal information outside of the European Union. That's where Safe Harbor comes into play.
EU regulators recognized that it would be impractical to prohibit the transfer of personal information outside of the EU because it would disrupt international business. Imagine, for example, a world where an international company headquartered in New York could not maintain records about European employees in its HR department based in New York.
Most U.S. companies that must engage in EU-U.S. data transfers comply with the DPD through a provision known as Safe Harbor. Under this agreement between EU regulators and the U.S. Department of Commerce, U.S. companies may self-certify to the Department of Commerce that they comply with the privacy framework and issue a public declaration of this compliance. This is the easiest path to compliance and avoids more complex legal maneuvers.
What's changed and what's next?
On Oct. 6 2015, the Court of Justice of the European Union (CJEU) issued a decision striking down the Safe Harbor agreement between the EU and the U.S. This decision essentially vaporized the Safe Harbor agreement and plunged EU-U.S. data-sharing arrangements into a state of turmoil. The CJEU is the EU's highest court and has the final say on the interpretation of European Union law, so there does not seem to be a path forward where the existing EU-U.S. Safe Harbor agreement will again become valid.
Lawyers on both sides of the Atlantic are scrambling to develop alternatives to the Safe Harbor agreement. As of November 1, 2015, there were 5,498 companies on the Department of Commerce's Safe Harbor list. Under most interpretations of the CJEU decision, all of these companies are suddenly noncompliant with the EU DPD and may not transfer personal information from the EU to the U.S.
Fortunately, there are other ways to comply with the DPD, and companies involved in international data transfers should begin examining them immediately. Companies in this position have three options:
- Sign company-specific legal agreements that legitimize data-sharing arrangements. These agreements come in the form of adopting model contract language between companies sharing data or adopting binding corporate rules that regulate intra-company data sharing.
- Obtain consent from the individuals affected by the data across the Atlantic. This may be practical in the case of employee information, but is probably not feasible in cases that involve information about thousands or millions of consumers.
- Temporarily suspend the sharing of private information across the EU-U.S. border until this situation is resolved. The U.S. Department of Commerce is working on a new data sharing agreement with the European Union that may restore this option for U.S. companies. However, there is no set timeline for the adoption of a new agreement, so choosing this path may leave companies in limbo for an extended period of time.
The CJEU decision invalidating the EU-U.S. Safe Harbor agreement is likely the most significant privacy regulatory event of the decade. It has an immediate, substantial impact on thousands of American companies that must now take quick and decisive action to remain compliant with European Union law.
Learn how to build an effective corporate privacy compliance program