The roller coaster of developments affecting the Safe Harbor framework shows no signs of slowing down. It has taken a couple of years since Edward Snowden’s revelations for the train to reach to its highest point, but once the European Court of Justice (ECJ) ruled on the Schrems case, we knew it would be a bumpy ride.
In the past weeks, most of the attention has focused on the EU data protection authorities, which are now more emboldened than ever and keen to capitalize on the ECJ’s decision to tighten the regime affecting international dataflows. The European Commission’s communication of 6 November to the European Parliament and the Council of the EU, coupled with its practical guidance, represents yet another turn in this uncertain journey.
At the same time, the Commission’s intervention is helpful in terms of the decision-making process that many organisations—for which transatlantic transfers are vital—are trying to grapple with.
Here are some practical conclusions we can draw from the Commission’s position.
Safe Harbor 2.0
Like its predecessor, Safe Harbor 2.0 will be the result of hard-fought negotiations between two parties that badly want the deal done but do not have much room to manoeuvre. Neither the Commission nor the U.S. Department of Commerce are blind to what is at stake here. But because the standards for lawful disclosures of data to public authorities set by the ECJ are so high, both parties are in a difficult position.
Bottom line: Safe Harbor 2.0 will definitely happen—we are probably about 90 percent of the way there—but the Commission is realistically asking for three more months to reach a final agreement. The big question mark is whether Safe Harbor 2.0 will address the weaknesses identified by the ECJ to the data protection authorities’ satisfaction. The answer is probably yes, but we should expect some hard-core dissents.
Are current alternatives good enough?
At a practical level, and since it is unwise to see Safe Harbor 2.0 as a silver bullet, the key issue is what can be done to still operate in the 21st century and safeguard dataflows.
The two most obvious options—the standard contractual clauses (SCCs) approved by the Commission itself and Binding Corporate Rules (BCRs)—are not seen by all data protection authorities as completely rock solid. Otherwise, they would have said so in their own statement. Instead, they also gave themselves three months to figure out whether they are good enough. So here’s where the Commission’s stance is most visible, since its defence of both mechanisms is fierce. In a slightly defiant tone, the Commission points out that since its decisions are binding in the member states, national authorities are in principle under the obligation to accept SCCs. Consequently, they may not refuse the transfer of the data to a third country on the sole basis that the SCC does not offer sufficient safeguards.
Yet, the Commission is also forced to acknowledge that this is without prejudice to the authorities’ power to examine SCCs—or BCRs for that matter—in the light of the requirements set out by the ECJ in the Schrems ruling. All in all, what seems evident is that as long as SCCs and BCRs are able to address the issue of access to data by public authorities in a reasonable manner, they provide a good basis to enable international dataflows.
Existing adequacy findings
So that nobody feels off the hook, it is also quite telling that the Commission stresses that even countries that were declared safe by means of an adequacy finding will be under scrutiny to make sure that their local legislation still provides an adequate level of protection. In fairness, the Commission already has a lot on its plate so country-specific assessments are probably not top of its list, but the message is there.
The many players involved in the Safe Harbor saga have all made their moves and seem to be watching each other carefully. What they seem to agree on is that Safe Harbor’s invalidity is not an excuse for lowering the level of data protection. Quite the opposite, the opening paragraph in the Commission’s communication refers to the importance of the fundamental right to protection of personal data, as enshrined in the Charter of Fundamental Rights of the EU, including when the data is transferred outside the EU. For that reason, ensuring an adequate level of data protection beyond borders has become a top priority for policy makers, regulators and courts.
We have been warned.
This entry originally was published on the International Association of Privacy Professionals’ (IAPP) Privacy Perspectives blog.