Following disclosures about U.S. policies concerning monitoring of private communications emanating from the EU and concerns about inadequate U.S. protection of private data of EU citizens, the European Commission is currently considering changes in the U.S.-EU Safe Harbor framework (“Safe Harbor”). The European Commission has proposed 13 recommendations to change the Safe Harbor. These can be grouped and summarized briefly as follows:
-
The Safe Harbor must become more transparent;
-
Alternative dispute resolution (“ADR”) must be included in the Safe Harbor;
-
Compliance with the Safe Harbor must be more actively enforced and audited by the Department of Commerce; and,
-
The circumstances under which U.S. authorities may access EU personal data processed by a Safe Harbor self-certified company must be made clear.
If these recommendations are all implemented, they will increase the compliance burden on companies participating in the Safe Harbor (“Safe Harbor Company”) with respect to the personal data of their EU-based employees and customers. In particular, a Safe Harbor Company would be required to:
-
publish its privacy policies, and its website privacy policies would need to include a link to the Department of Commerce’s Safe Harbor List;
-
publish the privacy provisions of contracts with any subcontractors (e.g., for cloud computing services);
-
notify the Department of Commerce of onward transfers of personal data;
-
offer one of the readily available ADR mechanisms to EU citizens in its privacy policy and include a link to the ADR provider;
-
be subject to regular external audits by the Department of Commerce to assess its actual compliance with the Safe Harbor principles and its privacy policies; and
-
provide a sufficient description of U.S. laws requiring disclosure of personal data, how U.S. authorities may use those laws to gain access to EU personal data, and how a Safe Harbor Company would make exceptions to the Safe Harbor principles for U.S. national security, public interest or law enforcement requirements.
U.S. industry has been preparing comments to the European Commission about these recommendations and are challenging, in particular, the recommendations requiring (i) disclosure of the privacy provisions of contracts with subcontractors, (ii) describing the extent to which U.S. law allows public authorities to subpoena data, and (iii) indicating when U.S. companies would apply a national security or law enforcement exemption.
Meanwhile, the European Parliament recently passed a resolution setting forth its findings and recommendations regarding the NSA’s surveillance program. Among other things, the resolution called for suspending the Safe Harbor immediately, alleging it does not adequately protect European citizens. However, the European Parliament’s resolution does not have immediate consequences for the validity of the Safe Harbor. The underlying agreements relating to the Safe Harbor were entered into by the European Commission, and in the EU, the European Commission alone is in a position to formally renegotiate the agreement. However, the resolution is an indication of the tremendous political pressure on the European Commission to implement changes to the Safe Harbor.
Given the great political sensitivity of these issues in the EU, it would be prudent for Safe Harbor Companies to begin initial planning for the contingency that some or all of these recommendations will be implemented. The proposed changes are significant and some companies may even question whether the cost of implementation and the monitoring of how personal data from the EU is transferred and handled will be worth continued participation in the Safe Harbor. Alternative options for international personal data transfer compliance would be to use the EU’s model contracts or Binding Corporate Rules.
Note that these comments are based on the changes to the Safe Harbor that have been proposed at this time. A Joint Statement released following the US-EU summit last month committed both parties “to strengthening the Safe Harbor Framework in a comprehensive manner by summer 2014”. We will continue monitoring the situation and provide updates as it becomes clearer what changes will actually be implemented.