Data Protection Report - Norton Rose Fulbright

It is being reported that the European Union and the United States are nearing an agreement on the revised US-EU/US-Swiss Safe Harbor framework. Thousands of US companies that have certified compliance with the Safe Harbor should be encouraged that the framework – which has been the subject of sustained criticism by European data protection regulators – will live another day. At the same time, certified organizations should prepare for enhanced requirements and a more robust enforcement climate that might come with the revised framework.

Among other changes, the revised framework will include strengthened Onward Transfer requirements. “Onward Transfer” is a Safe Harbor principle that governs onward disclosure of European personal data by US recipients to their service providers. The existing Safe Harbor framework’s Onward Transfer principle already mandates flowing down data protection requirements to vendors, so it remains to be seen which aspects of the principle will be enhanced.  Safe Harbor compliance monitoring and enforcement are also slated to be enhanced, including with respect to disclosures of European data to US law enforcement authorities.

Beyond the enhancements mentioned in the media, we also expect the revised Safe Harbor framework to reflect the thirteen Safe Harbor recommendations that the European Union set out in November 2013. The EU recommendations focused on:

  • Transparency of companies’ privacy practices and Safe Harbor certification status
  • Availability, accessibility and affordability of independent dispute resolution mechanisms for resolving privacy complaints
  • Robust enforcement of Safe Harbor compliance, including inspections and investigations by US regulators, as well as active cooperation by US regulators with European data protection authorities
  • Transparency regarding access to data by US authorities, and minimization of such access

Our Take

The most important news is that the Safe Harbor will remain a viable framework for transferring personal data from Europe to the United States. We have long viewed the Safe Harbor, when implemented with the necessary level of due diligence, as a fair mechanism for cross-border data transfer that balances European privacy concerns and the needs and realities of cross-Atlantic trade. Companies that have been unsure as to whether Safe Harbor is the right cross-border data transfer solution will likely soon have the certainty that their investment in complying with the Safe Harbor framework will be worthwhile. The continued viability of the Safe Harbor also means less pressure to adopt the more onerous Model Clauses or Binding Corporate Rules (BCRs) for transfers of personal data from Europe to the US (though unlike the Safe Harbor, Model Clauses and BCRs also establish a basis for data transfers from Europe to countries other than the US).

The price tag for retaining the Safe Harbor is likely to include enhanced scrutiny of the certified companies’ privacy and information security practices. As the annual re-certifications approach, Safe Harbor-certified organizations should be conducting robust reviews of their practices to ensure that their internal compliance frameworks supporting Safe Harbor certification can withstand regulatory scrutiny.

To subscribe for updates from our Data Protection Report blog, visit the email sign-up page.