How safe is US safe harbour?
Information law specialist Vaughan Jones examines the latest ruling on the safety of the U.S. Safe Harbour scheme.
The European Court of Justice (ECJ) has recently caused major upset by deciding that the method of transferring Data across the Atlantic between European companies and the US via ‘US Safe Harbour’ is no longer an adequately safe method. The decision was based on the following factors:
- US public authorities are not required to comply with US Safe Harbour
- This prevents the prohibition of US officials accessing the data. As brought to light by Edward Snowden, US Safe Harbour did not prevent the US National Security Agency surveying the Data received from the EU.
- This lack of prohibition has left data exposed and the ECJ found that certain regulations were breached including, but not limited to:
- evidence that the US were processing Data in an incompatible and disproportionate way;
- no judicial or administrative redress for an EU citizen to challenge how their Data was being used in the US; and
- insufficient findings regarding methods used to ensure adequate levels of protection.
The ECJ went further and explained that National Data Protection Agencies can and should have checked that US Safe Harbour was adequate –which they did not do
What does it mean?
The ECJ’s ruling means that US Safe Harbour is no longer an adequate method to transfer Data between the EU and the US. It does not mean that Data cannot be sent from the EU to the US, but instead means that companies should use a different mechanism to transfer Data.
The ICO has issued very brief guidance saying that it will allow companies a period of grace in order to put in place new methods. Commentators have remarked as to the size and sudden nature of this change. On one hand, it appears as if business can continues as normal because the Data will still be transferred, on the other however, the mechanism on how to transfer Data has changed. As a result, companies will need to rethink not only the mechanism but also revisit internal and external data flows; privacy policies and any commercial/consumer contracts they may have. This will be quite a task for the vast majority of companies and so the ICO has offered some lee-way.
Irrespective of the above it shows a determined approach by the EU and the ECJ to take Data Protection seriously and it is highly likely that Data Protection policies will be looked at with more scrutiny. It is therefore important to ensure that not only do you have a policy, but that the policy is used and adhered to.
US Safe Harbour 2.0
- It is understood that US Safe Harbour is being revisited in an attempt to make it adequate in the eyes of the ECJ. This has been conducted in the form of ongoing negotiations between the EU and the US for the past 2 years.In order for the mechanism to be adequate, the scheme must essentially offer the equivalent level of protection as found in the EU. However, even if it is amended, it does not guarantee that it will be adequate.
- Although not as simple as relying on US Safe Harbour an alternative is to use Model Contracts. These are the standard contractual clauses approved by the European Commission to validate a data transfer.
- These are pre-drafted documents. As a result, sometimes these are not appropriate for all companies.
- This switch would involve:
- Deciding which version of the Model Contracts to use (choosing from either the US entity being a controller or processor or both).
- Ensuring that the Model Contracts are complied with by both the UK entity and the US entity
- Ensuring that the Model contract is filed with the National Data Protection Authority
- Updating privacy policies and contracts with regards to change from Safe Harbour to Model Contracts.
Binding Corporate Rules (BCR)
- Whilst this is more time consuming and costly BCRs might be more effective at ensuring compliance as they are customised by the company rather than the Model Contract.
- However, on the other hand it might be overkill particularly if the Model Contracts do the job.
- The EU privacy regulators divide countries up into two lists - the White List where the EU finds that the countries have adequate data protection laws and the Black List for those not on the White List with allegedly inadequate data protection laws. Every country in the EU is automatically on the White List. e US is not. It may be, however, that when the US revisits their data protection laws/policies they get added to the White List but this does not help companies in the short term.
For more information on this area or on data protection generally, please contact Vaughan Jones on firstname.lastname@example.org / 01228 552222.
About the author
Vaughan Jones is Partnership Chair and a specialist in corporate law.
Published: Thursday 29th October 2015
Categorised: Information Law