Safe Harbor: choices and solutions.

Safe Harbor: choices and solutions.

Safe Harbor: Storm in a teacup OR tropical revolving storm!

Potted history: Maximillian is an Austrian Facebook user who reads the Snowden revelations and decides he's not happy about his personal details transferring to the US via Facebook Ireland. He complains to the Irish Information Commissioner about US Gov having access to his personal stuff. The Irish ICO says 'wooa, too hard', and hands it off to the European Court of Justice (ECJ). The ECJ says 'this is a no-brainer' and rules that Max's stuff was not kept safe by Facebook Ireland, and they shouldn't have let US Gov root around in his personal life. Facebook Ireland said, 'wooa, we did this legally 'cause we have a Safe Harbor' agreement with the 'Mothership'.' ECJ said, 'Safe Harbor, hah oxymoron', and chucked the whole thing out!

Safe Harbor ruled inadequate, now what?

OK, no dancing round the hand bags. If you are a business that has relied on safe harbor to legitimise the transfer of personal data from the EU to the US, YOU HAVE A PROBLEM.

Transfers that are still taking place under the Safe Harbour 1.0 decision after the ECJ judgement ARE UNLAWFUL. But, very important point, not all data transfers to the US are unlawful, ONLY those which rely on safe harbor.

If you don't know on what legal basis you are transferring data to the US, your lack of attention to the law means you probably have a problem anyway! If you haven't already read the relevant ICO Guidance, avail yourself of a copy, and get speed reading [links at bottom of post].

There are Statutory derogations (ways you can do it without safe harbor..) which you should be aware of. In the UK they are;

  • the data subject has given consent to the transfer;
  • the transfer is necessary for the performance of the contract between the data subject and data controller;
  • the transfer is necessary for the conclusion of the contract between the data subject and data controller;
  • the transfer is necessary or legally required due to important public interest grounds;
  •  the transfer is necessary in connection with the exercise of the defence of legal proceedings/obtaining legal advice; and
  • the transfer is necessary to protect the vital interests of the data subject

BUT! It isn't as simple as burying a paragraph in the privacy policy that says 'we may transfer personal data to countries outside of the EEA'. Whilst option 1 looks appetising, it will be difficult to implement given the strict requirements for 'valid consent'. Consent requires genuine choice, transparency, and a verifiable signifying action; this triptych is not easy to obtain and manage.

So what other options do I have?

Transfers can be;

  • to countries "deemed" to have adequate safeguards in place; (these are now under threat/question given the ECJ ruling)
  • using the appropriate EU Commission approved model transfer terms;
  • subject to the use of binding corporate rules (BCRs);
  • in accordance with an approved private contract; and
  • to companies that have self-assessed their adequacy (caution multiple jurisdictions).

Wait, these all look like a pain in the rear, why don't we just sit tight and wait to see what happens; after all, they can't send us all to jail can they?

The 'sit tight and wait' option.

The law is clear, the ECJ ruling of 6th October 2015 makes 'safe harbor transfers' unlawful. Period.

Continuation of transfers without an alternative legitimising process places the business at risk of fines from Regulators and law suits from individuals. The Article 29 Working Party published a Statement on 16th October 2015, where they clearly stated..

"If by the end of January 2016, no appropriate solution is found with the US authorities and depending on the assessment of the transfer tools by the Working Party, EU data protection authorities are committed to take all necessary and appropriate actions, which may include coordinated enforcement actions."

Thanks guys, so what do you suggest we do in the meantime?

"in the context of the judgment, businesses should reflect on the eventual risks they take when transferring data and should consider putting in place any legal and technical solutions in a timely manner to mitigate those risks and respect the EU data protection acquis."


Reflecting on Risk

Let's start with an analogy; do you think any government would fine a VW/Audi/SKODA owner for driving a car that is illegally polluting the atmosphere? No, me neither. The driver was unaware, unwitting with no alternative, and a solution is being put in place. So this is similar to safe harbor, right? As a business we didn't create the flawed safe harbor decision (2002/520/EC), an EU/US negotiated solution is expected, so why would we be fined?

Why? because there were, and remain, numerous alternatives to safe harbor. As a business you can 'clean up our emissions' i.e. you can implement an alternative protection scheme. It may not be as simple or cost effective to implement, but your obligation to act remains.

Couldn't we just keep our heads down until the newly negotiated Safe Harbor 2.0? Yes, you could, and I believe much like the cookie laws the risk of non-compliance, particularly with less sensitive data, will be acceptable to some organisations.

Watch out for 'flies in the ointment' however; Safe Harbor 2.0 may never materialise and individuals, not just an over-stretched selectively-presbyopic Regulator, can sue for damage and distress caused by a breach of the legislation. Fail to act and you may find a Max Schrems knocking on your door, law suit in hand, seeking compensation! Bottom line: if the personal data you process has the potential to cause damage and distress, don't sit tight, act.

Legal and technical solutions

The DIY option is to carry out your own Adequacy Check. This may prove to be the most sensible option if the data you are transferring has limited capacity to cause damage and distress. Consider building on this with a robust attempt to seek and manage <em>valid</em> consent for the transfer.

If you have more sensitive data (greater potential for harm) you should consider Model Contract Clauses  or  Binding Corporate Rules; but which ?

It depends! The 'elevator pitch' goes like this;

MCCs are quicker, cheaper and adaptable to commercial agreements, but they bind the business to terms which go beyond those required in the Directive and those terms can be directly enforced by the data subjects! Don't forget the alternative, more flexible, International Chamber of Commerce clauses [links below]

BCRs provide a single fix across the whole Group, can be individually tailored, with only one National Authority to liaise with but, they must be supported by a group-wide compliance audit, you may have to deal with more than one national Authority and therefore they take more time and money to set up.

The Action Plan

Now is the time to act. I strongly recommend you identify the level of risk you are exposed to and to do this you need to carry out and document a privacy impact assessment (PIA). The good news is you were going to have to do one of these anyway (when the new EU General Data Protection Regulation is enforced) so just get the two birds with one stone.

If your PIA indicates a high level of risk, the next action is to determine which of the three options described above best fits your corporate risk and business profile.

As with any compliance burden, look to gain brand kudos and business process improvement from the exercise. A good, hard look at you data collection, transfer and security processes can often identify opportunities to streamline, improve and save cost.

When you're given lemons, make lemonade!

Need help?

iCompli can project manage your PIAs and Overseas Transfer compliance. Contact us to discuss how we can help you Today


UK ICO 'Principle 8' Overseas transfer Guidance here

Self assessed 'Adequacy' UK ICO guidance here

Article 29 Working Party 'Safe Harbor' Statement here

ICC alternative model contract clauses here