U.S.-EU Safe Harbor Self-Certification Now Illegal

What is Safe Harbor?

U.S.-EU Safe Harbor Overview from www.export.gov:

The European Commission’s Directive on Data Protection went into effect in October 1998, and would prohibit the transfer of personal data to non-European Union countries that do not meet the European Union (EU) “adequacy” standard for privacy protection. While the United States and the EU share the goal of enhancing privacy protection for their citizens, the United States takes a different approach to privacy from that taken by the EU. The United States uses a sectoral approach that relies on a mix of legislation, regulation, and self-regulation. The EU, however, relies on comprehensive legislation that requires, among other things, the creation of independent government data protection agencies, registration of databases with those agencies, and in some instances prior approval before personal data processing may begin. As a result of these differences, the Directive could have significantly hampered the ability of U.S. organizations to engage in a range of trans-Atlantic transactions.

In order to bridge these differences and provide a streamlined and cost-effective means for U.S. organizations to satisfy the Directive’s “adequacy” requirement, the U.S. Department of Commerce in consultation with the European Commission developed a “safe harbor” framework. The U.S.-EU Safe Harbor Framework, which was approved by the EU in 2000, is an important way for U.S. organizations to avoid experiencing interruptions in their business dealings with the EU or facing prosecution by EU member state authorities under EU member state privacy laws. Self-certifying to the U.S.-EU Safe Harbor Framework will ensure that EU organizations know that your organization provides “adequate” privacy protection, as defined by the Directive.

Court of Justice Declares that the European Commission’s U.S. Safe Harbor decision is invalid.

An Austrian privacy activist, Maximillian Shrems, filed a suit in Ireland claiming that Facebook had mishandled his information by transferring it to the U.S. under the Safe Harbor rule. The suit, Shrems v. Data Protection Authority, claimed that in light of the information provided by Edward Snowden, U.S. intelligence agencies were obtaining data related to EU citizens without their consent and without ensuring an adequate level of protection for the data. The Data Protection Directive of the European Parliament states that the transfer of citizens’ personal information to a country outside of the EU may take place only if the outside country ensures an adequate level of protection for the data. The recent decision in the Shrems’ case states that national security, public interest and law enforcement in the U.S. take precedence over complying with the Safe Harbor rules. As a result, the Court of Justice found the original U.S. Safe Harbor decision to be invalid.

What does this mean for U.S. companies?

Over 5,000 U.S. companies have self-certified compliance with U.S. Safe Harbor rules. What do they do now? For now, the EU privacy regulators have set a deadline of January 2016 for EU and U.S. authorities to come up with a new solution to share data between the EU and U.S. The regulators will not begin enforcement until after January 2016. It’s likely that a solution will be reached, but there may be additional restrictions placed on how the U.S. is able to use data related to citizens of the EU. U.S. cloud companies like Amazon will be watching closely. Knowing exactly where your data is, what the data looks like, and how it is protected is still the best bet for U.S. companies that wish to continue to comply with EU privacy requirements.