The slow but inexorable fall of Safe Harbor
Recently, my colleague Phil Lee posted an obituary on Safe Harbor. The article was funny, a touch provocative, but especially well grounded. As we reach towards the end of January, never has the fate of Safe Harbour seemed so uncertain.
For those who have been following our blog, you'll know that on October 6th, 2015, the Court of Justice of the European Union ("CJEU") ruled in a ground-breaking decision that the "massive and indiscriminate surveillance" of EU citizens by US public authorities (as revealed by Edward Snowden) after their personal data has been transferred to the US, is incompatible with the fundamental right to the protection of personal data under European law. As a result, the Safe Harbor framework was declared invalid and the national data protection authorities ("DPAs") were ordered to act accordingly under their respective national laws.
Soon after, the Article 29 Working Party ("WP29") issued an opinion, which gave the EU and US officials in charge of re-negotiating the Safe Harbor framework (now referred to as the "Transatlantic Data Transfer Agreement") until the end of January 2016 to reach an agreement. A failure to do so would mean that the DPAs would begin to coordinate enforcement actions across Europe. Several DPAs (such as the CNIL in France and the AGPD in Spain) did not wait for this deadline to expire to initiate "soft" enforcement measures such as sending notice letters to all registered data controllers in their respective countries informing them that Safe Harbor could no longer be relied upon to transfer personal data to the US and, as a result, those controllers needed to implement an alternative data transfer mechanism that would enable them to continue transferring data lawfully.
This has usually required companies to quickly sign an intragroup data transfer agreement incorporating the EU standard contractual clauses between all the entities of the group and to update their data processing registrations with the relevant DPAs, including (where required) to obtain the DPA's prior approval to transfer personal data to the US. For the bolder and more perspicacious organizations, they may also have started discussing Binding Corporate Rules as a more solid data transfer solution but also as a global privacy compliance framework that will enable them to better comply with the upcoming General Data Protection Regulation ("GDPR").
In recent days, EU officials have been publicly alluding to the fact that we are nowhere closer to reaching a new deal on Safe Harbor. The blocking points remain the same. On the one hand, the vote in the Senate on the USA Judicial Redress Act has been delayed. This is viewed by EU officials as an essential condition for reaching a new Safe Harbor agreement because it would grant the same rights to EU citizens. This could take a while…
On the other hand, the US and EU cannot seem to agree on a common position regarding access to EU personal data by US public authorities for law enforcement purposes and reasons of national security. This is by far the most contentious point. The European Commission's top officials recently reminded that the European Union would not agree to a new transatlantic data transfer agreement unless both sides agree on this point. This raises fundamental legal, cultural and philosophical questions between Europe and the US. Whatever is decided in the end is likely to shape US-EU political and diplomatic relations for many years to come. Needless to say the negotiations are not over and concessions will need to be made on both sides if a deal is to be struck.
The question now is: what will happen when the clock strikes midnight on January 31st if no new Safe Harbor agreement is concluded? The more optimistic ones may still think that a last minute compromise is possible, but that is wishful thinking. The reality is that it is very unlikely now a deal will be struck before the end of January and, on the contrary, discussions will continue for several months at least. As stated by Isabelle Falque-Pierrotin (chairwoman of the CNIL and the WP 29) a few weeks ago, the end of January was never meant as a hard deadline but rather a sign that political leaders were committed to the task. Simultaneously, this does not mean that the DPAs will not engage in enforcement actions post January. I believe they will.
The impact this will have for companies will largely depend on what they have done in the last three months. Those who have acted immediately following the WP29's guidance (or who are in the process of doing so) and have adopted EU model clauses as an alternative for transferring personal data to the US are in a better place than those who have done nothing and who were thinking (or hoping?) that a new agreement would be reached before the end of January, which would enable them simply to transition their transfers under the "new" Safe Harbor framework.
But here's the interesting bit. The DPAs themselves have not yet reached a common position regarding the practical implications of the CJEU's decision on other data transfer mechanisms, such as EU model clauses and BCR. The more conservative DPAs are calling for a general freeze on all data transfers, including those that are based on the EU model clauses or BCR on the grounds that these data export solutions do not legally prevent foreign authorities in the importing countries from accessing EU data for law enforcement purposes. The more business-friendly DPAs are more focused on the consequences this would have for businesses if all means for transferring personal data are frozen.
As you can see, not only is the fate of a new Safe Harbor agreement uncertain, but also, it is unclear at this point how the DPAs will decide to enforce the CJEU's decision on other data export solutions. The WP29 is holding a plenary meeting on February 2nd and is expected to reach a common position on this issue. Once again, the outcome of this meeting is twofold. Either the WP29 adopts a strict and extensive interpretation of the CJEU's decision, which as a consequence, would mean that all transfers of personal data to the US would be prohibited (including those that are based on the EU model clauses or BCR). This would have a catastrophic effect on the economy, not to mention that it would seriously impede transatlantic relations. Or else, the WP29 decides (in line with its previous opinion) that companies may continue to transfer personal data on the grounds of the EU model clauses and BCR.
The final outcome could be found somewhere between those two lines. One solution could be to ask companies to adopt additional measures, such as an anti-surveillance pledge, under which the business would pledge not to disclose individuals’ data to government or law enforcement authorities unless either (1) legally compelled to do so (for example, by way of a warrant or court order), or (2) there is a risk of serious and imminent harm were disclosure to be withheld.
Let us also not forget that under the new article 43a of the GDPR, "Any judgment of a court or tribunal and any decision of an administrative authority of a third country requiring a controller or processor to transfer or disclose personal data may only be recognised or enforceable in any manner if based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State." The terms are clear and Europe has set its conditions. Once in force, this provision will apply to all third countries, including China, Russia and India.
Stay tuned for more updates on Safe Harbor in the coming days.
This article was first published on the IAPP's website under The Privacy Advisor.
By Olivier Proust, Of Counsel, Privacy Security & Information.