Why You Need to Care About EU Safe Harbor

3 min read

• Information Technology
• Information Governance

When we were in school, we learned that many relationships between countries started out based on trade. Whether it was spices, sugar, or demon rum, exchanging goods that one country had for things that the other country had was the basis.

Now that countries are trading bits instead of bearskins, things are no different—it’s still based on treaties and agreements. But recently the agreement between the U.S. and the European Union (EU) has broken down, and many companies in both regions are hoping the politicians and administrators figure it out soon.

The Safe Harbor program, implemented in October, 1998, is an agreement between the United States and the European Union. Under it, groups that want to bring personal data from the EU to the U.S. must certify to the U.S. Federal Trade Commission that it is complying with certain security procedures, explains Leonard Deutchman in The Legal Intelligencer.

But because of Edward Snowden’s revelation that the U.S. National Security Agency (NSA) was monitoring Internet communications, the Court of Justice of the European Union (ECJ) ruled on October 6 that the privacy rights guaranteed by the Charter of Fundamental Rights of the European Union were no longer being protected, and shut down the Safe Harbor program.

The court’s decision means that data importers and exporters have to use the EU’s standard contractual clauses for the transfer of personal data from the EU to third countries, Deutchman writes. While this method works, “they have to be executed by each importer and exporter each time data is transferred, and so add to paperwork,” he explains.

The decision affects approximately 4,400 U.S. companies certified in the program, as well as thousands of EU companies that relied on the certification to transfer personal data to those companies, writes Stephen Gardner for Bloomberg.

The court also gave the EU and the U.S. until the end of this month to work out a new Safe Harbor provision that protects the privacy rights of European citizens. Several bills are working their way through Congress that the industry hopes will satisfy the court and take care of the issue. Other changes could be put into place administratively without requiring legislative changes, writes Jens-Henrik Jeppeson of the Center for Democracy & Technology.

For example, part of the court’s issue was that it was more difficult for non-U.S. citizens than for U.S. citizens to raise privacy issues with the U.S. government. A bill called H.R. 1428, known as the Judicial Redress Act, is intended to fix this problem. “This bill, which would give foreigners the same ability to seek judicial redress from the U.S. government that American citizens already have, would serve as a step towards the establishment of a framework for rules to replace the invalidated safe harbor agreement,” writes Steve Brachmann in IP Watchdog.

At the same time, governments—including those of the EU—want to be able to maintain some ability to monitor communications for national security, Brachmann writes. “New rules would put in place a system by which some data surveillance could be justifiable, an important consideration given the ability of terrorist groups to leverage encrypted messaging technologies to coordinate attacks,” he explains.

In fact, EU member countries may have the same sort of monitoring programs that the NSA does—it’s just that people don’t know about them yet, Deutchman writes. “It is hard to imagine that, post-9/11, EU countries do not have similar programs, and all of the recent discussions, in the wake of the recent, horrific attacks in Paris and even before, certainly heighten the suspicion that EU countries have programs similar to the NSA’s,” he explains.

“The specific complaint in the opinion had to do with data kept by Facebook; given the discussion of how social media is being used to recruit young people to join ISIS and so on, it is hard to imagine that EU countries are not looking at Facebook data, as well as data from numerous other social media sites, as the NSA did. Regardless of what a data exporter and importer agree to, how can either guarantee that their governments will not access their data?”

In addition, U.S. laws may actually end up providing more protection than EU ones because they are more strictly enforced, writes Tim Sparapani, a principal at SPQR Strategies, in The Hill.

Observers like Sparapani are hopeful that the situation will be worked out, if only because—as historically been the case with trade—so much money is involved. If it is not resolved, EU companies may move from U.S. vendors to EU-based competitors—plus U.S. companies would have to invest a lot of money to collect, store, and process the data of Europeans, he warns.

In the meantime, if your company has been relying on Safe Harbor provisions to exchange data between the EU and the U.S., you need to be prepared to take action, either by self-certifying or by using contractual clauses, write attorneys Diana T. Vermeire and Tom C. Vincent II in Tulsa World. “If you’re not actively complying, you have a decision to make,” they write. “Companies collecting information on EU citizens—and not currently certifying under Safe Harbor or utilizing Rules and Clauses—must either begin using one of these methods, obtain the consent of the individuals whose information is being collected or reduce the specific identifying nature of the information, i.e. make it anonymous.”

Failing that, we can always go back to trading stone knives and bearskins.