Data Protection Report - Norton Rose Fulbright

It is being reported that the EU and the US have reached an agreement in principle on the revised cross-border data transfer framework, commonly referred to as Safe Harbor 2.0. Both sides expect further progress on the specifics in November of this year. Some of the thornier issues, however,regarding US surveillance activities, that are critical to addressing the concerns the ECJ raised in Schrems, are yet to be firmed up with verifiable compliance commitments.

The revised framework is likely to include:

  • Stronger oversight of the framework certifications by the U.S. Department of Commerce
  • Enhanced coordination on enforcement between EU data protection authorities (“DPAs”) and the FTC
  • More robust and, potentially, proactive compliance enforcement mechanisms
  • Enhanced transparency requirements for privacy disclosures by framework certified companies
  • Stronger privacy and information security requirements for certified companies’ onward disclosures of data to their vendors
  • Independent redress mechanisms on which consumers can rely to efficiently address their privacy concerns
  • An annual review requirement for the revised framework, to ensure the US and EU abide by their commitments

The European Commission has indicated that it would issue further guidance regarding international data transfers in the near term.

Our Take

The twenty-five days that have passed since the Schrems decision have been a rollercoaster for privacy professionals and our clients. Although we may hope that reason will prevail on both sides of the Atlantic, and Safe Harbor 2.0 will take hold, there are reasons why Safe Harbor 2.0 is a difficult proposition. Effectively, the Schrems decision took away from the EU Commission the authority to bind DPAs by its adequacy determinations under the European Data Protection Directive  95/46/EC. This means that the Commission would not be able to make a unchallengeable, binding determination on its own that the revised framework (or any framework) meets the Directive’s adequacy requirements.

While the Commission could make an initial adequacy determination with respect to the new framework, every EU Member State DPA would have the authority to make its own determination of adequacy with respect to the new framework (if, for example, the adequacy of the framework was at issue in resolving a consumer’s complaint). This new reality of the DPAs having the ultimate power to make independent adequacy determinations takes away from the Safe Harbor the key characteristic that made the framework an attractive cross-border data transfer solution – certainty. Without certainty, Safe Harbor is unlikely to be an attractive option for US companies.

Thus, in the current circumstances, unless there is a plan for all Member State DPAs — or at least the key Member State DPAs — to approve the new framework, it is unlikely to provide the relief that businesses on both sides of the Atlantic are seeking. Ultimately, however, the issue of cross-border data transfers must be solved pragmatically and comprehensively, and this task seems exceedingly difficult if the US is in essence negotiating with the DPAs rather than with the EU Commission.

Are there other paths? While this might be a “nuclear option,” it is worth recalling that the original EU-US Safe Harbor negotiations involved repeated assertions by Ira Magaziner, the White House’s then information technology czar, that the US would take WTO action should the EU stop data flows.  While scholars disagree whether there was merit to that assertion at the time, there are arguably stronger grounds today than in 2000 for asserting that the EU is implementing the Directive in a discriminatory fashion in blocking data transfers to the US. For example, in the current controversy there is no indication that the EU is stopping data transfers to China or India. Further, adequacy determinations with respect to Argentina and Israel, among others, may also be viewed as examples of arbitrary or discriminatory implementation of the Directive when those countries’ data protection and surveillance regimes are objectively compared to those in the US.