Skip to main content

What will you actually have to do if Safe Harbor falls?

Phil Lee
"Hell hath no fury like a woman scorned" or so goes the saying. Nor would it seem, hath it a fury like a student scorned. After many months of litigating, Austrian student-turned-privacy-activist Max Schrems tweeted today that the European Court of Justice would deliver its final judgment on the future of Safe Harbor on 6th October at 9.30am CET.

"Hell hath no fury like a woman scorned" or so goes the saying.  Nor would it seem, hath it a fury like a student scorned.  After many months of litigating, Austrian student-turned-privacy-activist Max Schrems tweeted today that the European Court of Justice would deliver its final judgment on the future of Safe Harbor on 6th October at 9.30am CET.

If true (and Schrems tweeted a picture of the notification of judgment, so there's every reason to believe it is), the timing of this judgment is surprising coming, as it does, just a couple of weeks after Advocate General Bot's damning opinion that the Safe Harbor framework is invalid.  Speculation will inevitably run rife, and many will assume that the prompt timing of the judgment is indication that the Court will effectively rubber-stamp the earlier opinion given by the AG.

Speculation, gossip, and rumour, though, benefit no one; businesses will only be able to plan and adapt once the final judgment is delivered.  This got me to thinking: what will businesses actually have to do if Safe Harbor is shot down - at least throughout the period until/if Safe Harbor 2.0 is approved.  Sure, there's been a lot written (including by me) about how businesses will need to 'contingency plan' or 'transition' to a new data export regime - but what does that really mean in practice?

Here's what I can foresee just off the top of my head:

1.  Model clauses are probably the only option initially.  First off, supposing Safe Harbor is shot down in the next couple of weeks, then - short of a miracle - we can safely say that Safe Harbor 2.0 will not yet have been agreed between the Commission and the US Department of Commerce.  Given that the BCR process is, at best, an 18 month project (don't believe anyone who tells you otherwise), businesses will have no choice but to adopt model clauses or accept non-compliance risk for now.

2.  Figure our what model clauses you need (hint: there are more than one type!) How do they go about implementing model clauses?  To begin with, they will need to explore their data exports holistically.  That means not just thinking about data exports of customer content, but also thinking about exports of CRM, employee and vendor data.  Whereas all four categories of exports may have previously been covered under a single Safe Harbor certification, different model clause solutions may be needed for, say, customer content data (often exported on a controller-to-processor basis, requiring the 2010 model clauses) and CRM, employee and vendor data (typically exported on a controller-to-controller basis, requiring the 2001 or 2004 model clauses).  In other words, one previous Safe Harbor solution may need to be broken into two separate sets of model clause solutions.

3.  Go back and sign model clauses with customers who want them.  Where the business is exporting customers' data on a controller-to-processor basis, it will have to approach its customers (or, more likely, it will get approached by its customers) and execute model clauses with them.  That immediately creates an administrative burden, but the business will also need to consider whether it wants to introduce any commercial clauses into the model clauses it signs with customers to manage its risk - remember, model clauses don't have any liability caps after all!  That requires negotiation and, inevitably, will entail some lengthy conversations with customers who are nervous about what negotiating away from the 'standard' form of the model clauses will mean for their own compliance.

4.  You'll also need intra-group model clauses.  Intra-group exports of CRM, employee and vendor data are somewhat easier, because the business will ultimately be contracting with itself, but it will need to map out which entities are exporting to which, and ensure that all appropriate group entities are signed up and their data flows accurately described within the clauses.  And, of course, they'll have to get the model clauses executed which, depending on the group structure, its size, intra-group powers of attorney, and contract execution rights, may be a much more challenging task than it sounds.

5.  Don't just sign the paperwork and forget about it: It doesn't end there, either.  Businesses who execute model clauses will then need to make sure they actually implement their requirements - particularly, in the case of controller-to-processor model clauses - their subcontracting provisions.  That essentially means flowing down the model clause terms to any third party non-EEA vendors that the business engages to process EEA personal data.  This itself will prove very tricky - many non-EEA vendors will cry ignorance of the model clauses, insist that they don't actually process personal data ("you have the encryption key - we don't know what it is!", "we only provide co-location facilities", etc.), maintain that they don't sign model clauses as a matter of principle, and so on.  That leaves the business in a difficult position - it either has to tolerate the non-compliance and have customer-facing breach exposure, transition to a new vendor who will sign model clauses or, if it has the leverage, simply force model clauses on the vendor.  Having been part of these negotiations first-hand on many an occasion, I know how hard this is.

6.  There's all those policies to update too!  There's another consideration too - what about all those external and internal-facing policies (website privacy policies, corporate data protection policies, whistleblowing policies) where the business proudly espouses its use of Safe Harbor for compliance purposes?  They all need to be revisited, updated, agreed internally, re-translated (where operating across multiple jurisdictions), re-posted, and possibly even notified to affected data subjects.  Phew!  What a task.

7.  You may even need to establish an EEA controller - just to sign your model clauses! It must be over there, right?  Nope - there's at least one more task.  What if you are an online B2C business without an EEA group company serving as your EEA data controller?  Odds are you've not been worrying about your lack of EEA controller, because you never had to: you were safely able to receive data in the US before in reliance on your Safe Harbor certification.  But if Safe Harbor goes away and you have to implement model clauses, you suddenly have to find an EEA group company you can enter the model clauses with!  And that means you have to find an EEA group company willing to be your EEA data controller so that it can sign model clauses with you!  And that in turn may mean a fairly seismic-shift in the structure and organization of your internal data governance program.

So, to all those of you who were thinking "Well, it's not that big a deal if Safe Harbor goes - there's always model clauses", the above is just a taste of what may be in store in terms of compliance actions needed to transition over to model clauses as a replacement data export solution.  And, after all that, data will still flow to the US, and internationally, just as it ever did before - so does anyone really feel that data will be better protected in a Safe Harborless world?

Sign up to our email digest

Click to subscribe or manage your email preferences.