The invalidity of Safe Harbor and the way forward

< Back to all news

The invalidity of Safe Harbor and the way forward


Category: AmCham News

This October, the European Court of Justice ruled that the Safe Harbor arrangement between the European Commission and the US was invalid. Essentially, the privacy protection of personal information was deemed insufficient, as pertains to article 25 of the EU directive on data protection, which regulates export of personal data. In particular, the court believed US regulation provided too much back-door access for US government agencies.

Safe Harbor dates back to 2000. Until October 2015 it served as a uniform set of rules for any organization operating in EU and EEA member states transferring personal data to the US. As long as the US companies receiving the data followed the rules of Safe Harbor, the exporters of the data were compliant.

The invalidity of the Safe Harbor arrangement has created temporary (and potentially long term) ambiguity for companies on cross border handling of customer data. A deadline for a new agreement between the US and EU has been set for January 2016. However, it remains to be seen if the deadline will be reached. The breakdown of the Safe Harbor arrangement does not mean that companies will stop all international transfer of data. In the meantime, companies are left in legally grey area on how to handle and transfer data out of the EU and into the US.

Here in Norway, many companies have applied for authorization through Datatilsynet, confirming that they meet the criteria for compliance. Following the Court’s Safe Harbor judgement, Datatilsynet sent a letter to 110 companies who transfer data to the US under the Safe Harbor arrangement, warning that doing so was no longer legal. As a patchwork solution, Datatilsynet, as well as other European regulatory authorities, have recommended use of EU model clauses as a temporary workaround for data export to the US.

Our Experts and the Path Ahead

Representatives from AmCham member law firms Arntzen de Besche, Bull & Co and Ræder point out that whether following these model clauses, or setting up binding corporate rules (guidelines for intra-company data transfer), companies transferring data to the US may still be at risk in light of the Snowden revelations. At the same time, they also question the implications of the model clauses.

“Salesforce, and other cloud-based service providers, immediately sent letters to their customers following the ECJ judgement, informing on their data transfer practices. This helped them get ahead of liability problems, and this could increasingly be a solution for Norwegian and Swiss based customers” says Kristian Foss of Bull & Co.

Companies are increasingly becoming innovative to deal with the problem; Microsoft, for example, not only opened additional data storage centers in Germany to hold German customer data, but also placed the keys to the data in the hands of a third party (Deutsche Telekom) to ensure that US authorities cannot force Microsoft to surrender such data.

Government enforcement of the date protection rules, including here in Norway, is a task requiring much resources. Consequently little active enforcement is done. Fines are also low. The average fine over the last 10 years stands about NOK 125 000, with the highest at NOK 900 000. Enforcement aside, privacy is an increasingly important issue to end-users, and companies are using the protection of personal data as a competitive advantage.

Per today, there are few examples of companies losing customers as a result of non-compliance, and there is admittedly a difference between private customers posting on social media and large multinationals with legal departments able to perform due diligences. The deadline for a new Safe Harbor ‘2.0’ agreement is January 29, 2016. Datatilsynet is optimistic that a new deal will be in place on time. The new Safe Harbor agreement will be a framework agreement for a huge area of current transatlantic trade. Many, including our expert panel, have mixed feelings. Pending a failure to reach an agreement, Datatilsynet has made preparations for an increase in applications based on EU standard model clauses as there will be an increased focus on enforcement in a number of participating countries. “The problem is that we aren’t really sure that the model clauses are any better than Safe Harbor” argued Espen Sandvik, of Arntzen de Besche. Although surprisingly quiet, and perhaps because most are waiting for the January 29 deadline, “users are starting to contact us about the model clauses, and mostly from the customer perspective,” adds Ræder’s Vebjørn Søndersrød.

The recent terror attacks in Paris highlight the importance of this issue, and evoke strong opinions on both sides of the personal data privacy discussion. While one camp argues that increased collection and use of personal data is necessary to protect citizens, the other camp says that the data collection that already exists isn’t effective and is more invasive than beneficial.  It is important that regulation be in place, but it is also important that the regulation is sensible. In a country where the majority of security cameras filming in downtown areas are operating illegally, we need to be conscientious of how we collect and transfer data.

Data protection authorities in EU countries have stated that the Safe Harbor case brought by Mr. Schrems will be enforced in the absence of a new agreement after January 2016. Progress is being made, however, and according to Lexology the European Commissioner for Justice, Consumer and Gender equality stated that the US and EU “agreed on concrete next steps in order to come to a conclusion before the end of January 2016.” This shows confidence for the possibility of Safe Harbor 2.0 within the January 2016 deadline. While the absence of Safe Harbor does not mean a shutdown of business in the meantime, we encourage companies to follow along with the process.

Source: AmCham

Published: February 27, 2024