Safe Harbor 2.0—Will This New Year's Resolution Succeed?
In October, Europe's highest court invalidated the US-EU Safe Harbor agreement in the landmark Schrems
The original Safe Harbor agreement, which had been in place for more than a decade, enabled some 4,500 US and EU companies to transfer the personal data of EU citizens across the Atlantic despite the United States’ “inadequate” level of data protection under EU law. Since the Schrems
decision, US and EU officials have collaborated in search of a viable replacement framework, which is commonly referred to as “Safe Harbor 2.0.” Negotiations on Safe Harbor 2.0 are expected to yield a new agreement by the end of this month. But, as we all know, even the most well-intentioned New Year's resolutions sometimes fail. The clock is ticking as some European data protection authorities have pledged to take enforcement action against companies relying on the old framework if no Safe Harbor 2.0 agreement is negotiated by January 31, 2016.
Status of Safe Harbor 2.0 Negotiations
Like many well-intentioned New Year's resolutions, is Safe Harbor 2.0 destined to fail? The answer is unclear. Some officials have expressed skepticism that an agreement will be reached by the end of January. For example, Dutch Justice Minister Ard van der Steur lamented in early December that negotiations on key national security issues had yet to even begin. However, FTC chairwoman Edith Ramirez recently expressed optimism that negotiators were “well on our way” to reaching an agreement on Safe Harbor 2.0 by the end of January. Moreover, officials on both sides of the Atlantic have emphasized the importance of maintaining the free flow of commerce and information between the US and the EU.
A potential complication for the fate of Safe Harbor 2.0 is a case pending in federal court in New York regarding access to EU personal data by US law enforcement authorities. In that case, the US Department of Justice (“DOJ”) is seeking to compel Microsoft to provide emails from the accounts of EU customers that were stored exclusively on servers in Ireland. Microsoft contends that the DOJ should be required to invoke the US-Ireland Mutual Legal Assistance Treaty when seeking such data, rather than unilaterally accessing data subject to Irish and EU privacy laws. Privacy experts in both the US and the EU have expressed concern that a ruling in favor of the government could jeopardize Safe Harbor 2.0 by strengthening the argument of some critics that US law is inadequate to protect Europeans’ personal data.
Preparing for the Unknown
So what if negotiations fail to produce Safe Harbor 2.0 by the end of this month? Although an agreement seems likely in light of the importance of commercial data flows to both the US and the EU, companies nonetheless should be aware that some EU data protection authorities may begin to take enforcement actions if an agreement is not reached by the end of January. This means that companies should assess alternative strategies for EU-US data transfers, such as the adoption of Model Contract Clauses or Binding Corporate Rules.
With Binding Corporate Rules taking some companies over a year to implement, many companies may find that Model Contract Clauses are a viable short-term solution. In the meantime, it will also be important to monitor continuing developments in the negotiations for the Safe Harbor 2.0 framework.
Ice Miller’s Data Security and Privacy Practice advises clients on international data transfers and international data protection compliance. Nick Merker, a former systems, network, and security engineer, is a co-chair of Ice Miller’s Data Security and Privacy Practice and speaks frequently on international data transfers in the United States and abroad. Merker can be reached at firstname.lastname@example.org
or (312) 726-2504. Eric McKeown, a former software developer, is a member of Ice Miller's Data Security and Privacy Practice. McKeown can be reached at email@example.com
or (317) 236-2124. John Pence is a member of Ice Miller's Data Security and Privacy Practice.
This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances.