Urgency in Post-Safe Harbor Data Transfer Planning

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Stephen Gardner

Oct. 29 —Companies affected by the invalidation of the U.S.-EU Safe Harbor Program shouldn't wait for further guidance from regulators, but instead take steps to reduce their exposure to possible enforcement action over data transfers from the European Union to the U.S., data protection officials said at the 37th International Conference of Data Protection and Privacy Commissioners Oct. 29.

Indicating that companies shouldn't expect a quick solution to the problems created by the European Court of Justice's invalidation of Safe Harbor, EU data protection officials said they were under an obligation to enforce the Oct. 6 ECJ ruling.

Isabelle Falque-Pierrotin, head of the French data protection authority and chairwoman of the Article 29 Working Party of EU data protection officials said Oct. 29 that affected companies should “reflect on the ways you are organizing your data flows to cope with the new legal environment.”

EU privacy regulators are “bound by the decision of our supreme court,” and the point will come “when we have to act,” Falque-Pierrotin said.

Jacob Kohnstamm, chair of the Dutch DPA, told Bloomberg BNA Oct. 29 that companies which previously relied on Safe Harbor for their transfers to the U.S. from the European Economic Area should “prepare for the worst,” including a possible ban on data transfers.

The ECJ invalidated Safe Harbor on the basis that it didn't offer adequate safeguards against access to the data of EU citizens by U.S. law enforcement agencies, and didn't provide EU citizens with sufficient rights of redress in case of data privacy violations in the U.S.

‘Untenable’ Situation 

The Article 29 Working Party Oct. 16 said they would hold off enforcement of the ECJ ruling until the end of January 2016, to give EU and U.S. authorities time to agree on a replacement mechanism for Safe Harbor.

Officials at the 37th International Conference of Data Protection and Privacy Commissioners didn't give any clear signal that they expected an agreement by the end of January, although U.S. Federal Trade Commission head Edith Ramirez said she was “optimistic” that the EU and U.S. would ultimately bridge differences over privacy protection.

“There continues to be a fundamental lack of understanding of each other's systems,” she said.

During its 15-year lifespan, Safe Harbor became “absolutely significant” for data transfers from the EU to the U.S. and the impact of its invalidation “cannot be overstated” and had “truly sent shockwaves in the U.S.,” she said.

“The current situation we are in is untenable,” and U.S. authorities are “committed to working very closely” with EU DPAs and the European Commission “to find an effective solution,” Ramirez said.

Over 4,400 U.S. companies were participating in the Safe Harbor when it was invalidated.

Companies Have ‘Shared Responsibility.’

Falque-Pierrotin said companies shouldn't wait for guidance from the privacy authorities because companies have a “shared responsibility” to ensure that their data transfers were done legally.

The Article 29 Working Party had highlighted “repeatedly” that treatment of the personal data of EU citizens in the U.S. was “not coherent with our Charter of Fundamental Rights,” she said.

The EU and U.S. authorities had to “solve the question of the guarantees” of data privacy that the ECJ had requested, Falque-Pierrotin said.

Data Protection Across Borders

The invalidation of Safe Harbor offers the possibility of a “huge step forward” if it leads to an understanding of “what type of standard guarantees we want in situations when personal data is accessed by the authorities in one country,” Falque-Pierrotin said.

Joe Cannataci, a professor at the University of Malta, who was appointed in March as the United Nations Human Rights Council Special Rapporteur on privacy, said that the free flow of data across borders for economic benefits raises the issue of the need for “safeguards without borders and remedies without borders.”

In the longer term, use of encryption to protect data “may bring governments to the table” to discuss common approaches to access to personal data for law enforcement purposes, because encryption makes mass electronic surveillance “useless,” Cannataci said.

To contact the reporter on this story: Stephen Gardner in Brussels at correspondents@bna.com

To contact the editor responsible for this story: Donald G. Aplin at daplin@bna.com