It has been a very exciting and tumultuous October for privacy professionals. The IAPP Privacy, Security, and Risk Conference in Las Vegas started the month, we had a breach of 15 million individuals, and Safe Harbor was struck down by the EU Court of Justice after the protest of an Austrian student. With the loss of Safe Harbor as a means for US organizations to transport data between nations, there are some big implications for many of us.
For those who are unfamiliar, Safe Harbor has been the mechanism that allowed US organizations to transfer information about individuals from the European Union to the United States. Since the US is not considered by the EU to have adequate data protections, Safe Harbor was put in place through the efforts of the Department of Commerce to allow individual companies to state that they comply with the provisions of the EU’s Data Protection Directive.
In order to comply with Safe Harbor organizations were required to meet seven principles, including notice, choice, onward transfer, security, data integrity, access, and enforcement. Companies would attest they meet the requirements of these principles in a filing submitted at export.gov. Each year the company must again attest to their compliance. The European Union Court of Justice, however, has found that information transferred to the US may not be secure because of organizations cooperating with the US government’s NSA Prism Program. This has led to the invalidation of Safe Harbor as a mechanism for moving information between nations.
So what options do you have now?
Each member of the European Union has their own DPA, or Data Protection Authority. Like all affected businesses, the DPAs are determining how to proceed. While a revised Safe Harbor program is in discussion, it may be a while before that is put in place.
Another way that a legal data transfer from the EU to the US may be accomplished is through binding corporate rules, or BCRs. A BCR is, in essence, the rule book for your organization’s collection and processing of personal information. The DPAs review these rules and approve them if the DPAs feel that adequate protection is being provided for the data.
You could also utilize model contracts. Model contracts are a set of contractual clauses that meets the standards of the EU Data Protection Directive in regards to the storage, use, and transfer of information. These clauses must provide “adequate safeguards with respect to the protection of the privacy and fundamental rights and freedoms of individuals and as regards the exercise of the corresponding rights.” Currently, there are two model contracts, one for transfer between data controllers and one for transfer to data processors outside the EU or EEA. Each DPA may have its own set of model clauses.
You could also obtain consent as a method for transferring information. Once you have obtained explicit consent from a data subject, you may move information to your US location for processing or storage. You also have to remember to have a method for the data subject to opt-out of this data transfer. Once this happens, you should already have in place the mechanism to remove or otherwise dispose of that subject’s information and discontinue transferring it.
Safe Harbor is no more?
It is interesting to note that the reasons Safe Harbor was invalidated may also be applied to data transferred to the US through any means including BCRs, model contracts, and consent. It will be interesting to see where the DPAs guidance takes us.
Safe Harbor specifically is gone, but the EU Commission is working with the US Department of Commerce to establish a new mechanism for data transfer. Both parties are hoping for a system that is an improvement over safe harbor, but that also meets the needs of multi-national corporations, encouraging trade and business between and within the effected jurisdictions.