{"id":248,"date":"2015-09-25T10:25:59","date_gmt":"2015-09-25T16:25:59","guid":{"rendered":"http:\/\/ericlambert.net\/blog\/?p=248"},"modified":"2015-09-25T10:25:59","modified_gmt":"2015-09-25T16:25:59","slug":"eu-us-safe-harbor-for-personal-data-transfers-may-not-be-adequate-after-all","status":"publish","type":"post","link":"https:\/\/ericlambert.net\/blog\/2015\/09\/25\/eu-us-safe-harbor-for-personal-data-transfers-may-not-be-adequate-after-all\/","title":{"rendered":"Safe Harbor Framework for EU to US Personal Data Transfers May Not Be &#8220;Adequate&#8221; After All"},"content":{"rendered":"<p>This week, the Advocate General of the European Court of Justice (ECJ) issued a preliminary and non-binding assessment in\u00a0an ECJ case<strong> recommending that the ECJ find the US-EU\u00a0Safe Harbor Framework to be invalid<\/strong>.<\/p>\n<p>For US companies with European subsidiaries that regularly need to transfer data back to the US home office, one of the primary data privacy considerations is compliance with the EU&#8217;s Data Protection Directive. Each EU member state has adopted their own data protection law\u00a0based on the Directive. The Directive covers personal data in the European Economic Area (the EU, Iceland, Liechtenstein and Norway).<\/p>\n<p>Under Article 25 of the Directive, the transfer of\u00a0personal data to a country or territory outside of the EEA is prohibited unless that country or territory can guarantee\u00a0an &#8220;adequate&#8221; level of data protection in the eyes of the EU. \u00a0In some cases, the EU will declare a country to have &#8220;adequate&#8221; protections in place (e.g., Canada based on their national PIPEDA data privacy law).<\/p>\n<p>The US is one of the countries that is not deemed &#8220;adequate&#8221; by the EU. \u00a0(The US\u00a0does not have a comprehensive national privacy law like Canada or the EU, but instead uses a &#8220;sectoral&#8221; approach to regulate data privacy.) \u00a0Because of this, the EU controller of the personal data must ensure that the US company receiving the data has an adequate level of protection for personal data to permit the data transfer. \u00a0This can be achieved in a number of ways, including:<\/p>\n<ul>\n<li><strong>The Directive\u00a0defines a number of situations\u00a0in which\u00a0adequacy is presumed\u00a0statutorily,<\/strong>\u00a0such as where the data subject consents to the transfer, the transfer is necessary for the performance of, or conclusion of, the contract between the data subject and data controller, or it is necessary to protect the vital interests of the data subject.<\/li>\n<li>A company&#8217;s Board of Directors can adopt\u00a0<strong>binding corporate rules<\/strong>\u00a0requiring adequate safeguards within a corporate group to protect personal data throughout the organization.<\/li>\n<li>The\u00a0EU entity and US entity can enter into an approved contract (utilizing a <strong>model contract<\/strong>\u00a0<strong>terms<\/strong> approved by the EU)\u00a0with provisions ensuring data is adequately protected.<\/li>\n<li>The transfer is to a US entity which participates in the <strong>Safe Harbor Framework<\/strong>, a program agreed upon by the US and EU in 2000 under which\u00a0US companies that\u00a0self-certify that their data protection policies and practices are in compliance the\u00a0requirements of the Framework are deemed to have an &#8220;adequate&#8221; level of data protection for EU data transfer purposes. \u00a0<strong>Over 5,000 companies<\/strong>\u00a0have certified their compliance with the Safe Harbor Framework.<\/li>\n<\/ul>\n<p>Edward Snowden&#8217;s revelations regarding US government surveillance programs and practices\u00a0created many questions regarding whether the Safe Harbor Framework was truly &#8220;adequate&#8221; for EU purposes, since regardless of a company&#8217;s own policies and practices the US government could access the personal data of EU data subjects stored on US servers. \u00a0This week, in a case brought by an Austrian student challenging the transfer of his data to the US by Facebook under the\u00a0Safe Harbor framework,\u00a0the Advocate General of the European Court of Justice (ECJ) issued a preliminary and non-binding assessment <strong>recommending that the ECJ find the Safe Harbor Framework to be invalid<\/strong>. \u00a0The ECJ can ignore the Advocate General&#8217;s recommendation, but does so only rarely.<\/p>\n<p>The language\u00a0of the decision will be very important, as the potential for US government surveillance of and access to personal data of EU data subjects stored in the US goes beyond the Safe Harbor framework. \u00a0A broad decision could create problems for the ability of US companies to achieve adequacy for EU data transfer purposes, <span style=\"text-decoration: underline;\">regardless of the adequacy approach used<\/span> &#8212; US government surveillance could be determined to trump <em>any<\/em> adequacy approach taken by US companies in the eyes of the EU.\u00a0However, a finding that the US government&#8217;s surveillance practices call into question the adequacy the transfer of data to US companies in general could cause major headaches and disruptions for US businesses, and would have political and economic ramifications. It will be interesting to see how deep down this rabbit hole the ECJ is willing to go.<\/p>\n<p>Companies which\u00a0participate in the Safe Harbor Framework should immediately start looking at alternative choices for achieving &#8220;adequacy&#8221; in the eyes of the EU to allow for continued data transfers. \u00a0Companies should also look at whether any of their vendors rely on safe harbor in the performance of obligations, and contact them regarding their contingency plans if Safe Harbor is found to be invalid.\u00a0If the ECJ adopts the Advocate General&#8217;s recommendation, it is unclear whether they will provide any grace period to all companies\u00a0to implement an alternative approach. \u00a0Public reporting companies participating in the Safe Harbor framework may also want to consider whether this uncertainty\u00a0should be\u00a0cited\u00a0in their risk factors for SEC reporting purposes.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>This week, the Advocate General of the European Court of Justice (ECJ) issued a preliminary and non-binding assessment in\u00a0an ECJ case recommending that the ECJ find the US-EU\u00a0Safe Harbor Framework to be invalid. For US companies with European subsidiaries that &hellip; <a href=\"https:\/\/ericlambert.net\/blog\/2015\/09\/25\/eu-us-safe-harbor-for-personal-data-transfers-may-not-be-adequate-after-all\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4,10,1],"tags":[69,72,91,141,161],"class_list":["post-248","post","type-post","status-publish","format-standard","hentry","category-legal","category-privacy","category-uncategorized","tag-data-privacy","tag-data-transfer","tag-eu","tag-privacy","tag-safe-harbor"],"_links":{"self":[{"href":"https:\/\/ericlambert.net\/blog\/wp-json\/wp\/v2\/posts\/248","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ericlambert.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ericlambert.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ericlambert.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/ericlambert.net\/blog\/wp-json\/wp\/v2\/comments?post=248"}],"version-history":[{"count":0,"href":"https:\/\/ericlambert.net\/blog\/wp-json\/wp\/v2\/posts\/248\/revisions"}],"wp:attachment":[{"href":"https:\/\/ericlambert.net\/blog\/wp-json\/wp\/v2\/media?parent=248"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ericlambert.net\/blog\/wp-json\/wp\/v2\/categories?post=248"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ericlambert.net\/blog\/wp-json\/wp\/v2\/tags?post=248"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}