Transferring personal data from countries in the European Union to other countries, including the United States, recently became far more difficult following a ruling of the Court of Justice of the European Union in October 2015. Policymakers are currently negotiating a new framework for data transfers to ease the legal compliance burden on international companies.
Information privacy laws and regulations in Europe are generally perceived to be much more stringent than in the United States. While the American approach to privacy is a hodgepodge of federal and state statutes, the EU has all-encompassing rules, set out in the Data Protection Directive of 1995, which apply to all business sectors. Although the laws are based on eight commonsense principles, the detailed rules underpinning those principles are often complex. One of the key principles is that personal data must not be transferred outside of the EU unless the recipient country offers an “adequate” level of protection. The U.S. as a whole (unlike certain countries including Argentina, New Zealand and Switzerland) is not deemed to provide “adequate” protection.
In 2000, the U.S. Department of Commerce, in consultation with the European Commission, developed the Safe Harbor framework to provide a method for U.S. companies to transfer personal data outside the European Union while complying with the EU Data Protection Directive. Since then, more than 4,000 U.S. companies have relied on the U.S.-EU “safe harbor” process. By self-certifying that they followed the seven Safe Harbor Privacy Principles, companies could conduct data transfers without violating the Data Protection Directive. Industries and trade groups developed protocols to assist companies with this process.
This process worked — until October when the Court of Justice of the European Union (CJEU) invalidated the Safe Harbor Decision. Key factors influencing this decision were the European court’s views that the United States can no longer be considered to provide “adequate” data protection in light of reports about the National Security Agency’s data collection activities. This is arguably based more on perception than reality, and the CJEU’s analysis of the activities of the U.S. intelligence services (and the extent of the checks and balances) has been criticized. Following the CJEU decision, the “safe harbor” regime is now under review by EU national governments, as well as non-EU member participants such as Israel and Switzerland.
European and American policymakers are currently negotiating a new framework for data transfers from the ashes of the old one, with the prospective agreement often dubbed “Safe Harbor 2.0.” It is unclear if and when consensus will be reached, although the European Commission recently issued a statement reaffirming its commitment and stating that it has stepped up its talks with the U.S. government.
There is considerable pressure to reach an agreement. The data protection regulators in each EU member country have issued a joint statement that if no appropriate solution is found by the end of January 2016 they will take all necessary action, including coordinated enforcement activities. Similarly, the European Parliament has called on the European Commission to consider alternative mechanisms to Safe Harbor and report back by the end of 2015. In the U.S., the Senate Energy and Commerce Committee has issued a statement calling for the redoubling of efforts to conclude the negotiations as soon as possible, given the critical importance of transatlantic data flows and the need to protect consumer data.
In the meantime, while negotiations continue, companies transferring personal data from the EU must rely on interim solutions, including data transfer agreements incorporating the European Commission’s model contracts.