Archive for the ‘Binding Corporate Rules’ Category

DPAs react to the CJEU’s decision on Safe Harbor

Posted on October 22nd, 2015 by

Since the CJEU’s decision of 6 October 2015 revoking the EU/US Safe Harbor program, Safe Harbor continues to make the headlines and there are new legal developments each day. This blog post summarizes the public statements that were made in recent days by the data protection authorities (DPAs) in the EU and regulators in other parts of the world.

Reaction of the European DPAs

On 16 October 2015, the Article 29 Working Party (WP 29) issued a public statement which says that the DPAs have discussed the consequences of the CJEU’s decision. The position of the WP 29 is summarized below.

What is the WP 29’s analysis of the CJEU’s decision on Safe Harbor?

Unsurprisingly, the WP 29 says “it is clear that companies can no longer rely on Safe Harbor to transfer their data to the US“. If companies are still doubting whether their transfers under Safe Harbor are lawful, the WP 29 confirms that “transfers that are still taking place under the Safe Harbor decision are now considered to be unlawful.

The WP 29 also states: “It is absolutely essential to have a robust, collective and common position on the implementation of the judgment“.

The WP 29 highlights that “the question of massive and indiscriminate surveillance is a key element of the Court’s analysis” and “such surveillance is incompatible with the EU legal framework“. The WP 29 makes a particularly bold statement by saying that “countries where the powers of state authorities to access information go beyond what is necessary in a democratic society will not be considered as safe destinations for transfers“, which it would seem is addressed at the US authorities.

What should companies do?

Unfortunately, the WP 29 does not provide a lot of practical guidance for companies. It simply says that “businesses should reflect on the possible risks that they are taking when transferring data and should consider putting in place any legal and technical solution in a timely manner to mitigate those risks and respect the EU data protection acquis“.

Two points are worth highlighting. First, the WP 29 calls upon companies to assess their level of compliance for all types of data transfers, not just those that are based on Safe Harbor. Second, companies need to do so in a “timely manner” which is the WP 29’s way of saying that there is no time to lose. Those companies who have already begun to implement measures to enforce the Safe Harbor decision are in a better position compared with those who haven’t.

Does the CJEU’s decision affect other data transfer mechanisms (e.g., the EU Model Clauses and Binding Corporate Rules)?

The WP 29 says that it “will continue to analyse the impact of the CJEU’s judgment on other data transfer tools“, which in itself is not very reassuring given the reactions of some of the DPAs. In Germany, for example, the data protection authority for the German state of Schleswig-Holstein issued a position paper in which it declares the EU model contract clauses invalid.

Nonetheless, the WP 29 does convey a more reassuring message to companies by saying that “EU model clauses and BCR can still be used”. At this point, it is difficult to predict what will be the impact of the Safe Harbor decision on Model Clauses and BCR and so we will continue to monitor the situation in the weeks to come.

How will the DPAs enforce the CJEU’s decision?

The good news is that the WP 29 has granted a grace period to find an appropriate solution with the US authorities. The bad news is that this grace period will expire at the end of January 2016, which leaves very little time for companies to adapt.

Until then, if no solution has been found (a Safe Harbor 2.0?) and depending on the assessment that is made by the WP 29 of the other data transfer mechanisms, then “the DPAs are committed to take all necessary and appropriate actions, which may include coordinated enforcement actions“. As we have seen in recent months on other issues (such as mobile apps and cookies) the DPAs have demonstrated their ability to conduct pan-European enforcement actions. However, one should not forget that, even if the DPAs do launch a coordinated enforcement action, the actual enforcement measures can only be pronounced by each DPA at a national level. And the new enforcement provisions under the upcoming General Data Protection Regulation (GDPR) will not come into force before 2018 (assuming the text of the GDPR is formally adopted in 2016).

In the meantime, the WP 29 reminds that each national DPA can “investigate particular cases, for instance on the basis of complaints, and exercise their powers in order to protect individuals“, which means that each DPA can act independently against any company in accordance with its national law.

The WP 29 also says that the DPAs “will also put in place appropriate information campaigns at national level to ensure that stakeholders are sufficiently informed“, which may include “direct information to all known companies that used to rely on the Safe Harbor decision as well as general messages on the DPAs’ websites“. And so, companies who have filed their DPA notifications and/or obtained the approval of the DPAs to transfer data to the US on the basis of Safe Harbour could be contacted by the DPAs in the days or weeks to come and should therefore be prepared to explain to the DPAs what remediation measures they have put in place.

What next?

The WP 29 says that it “is urgently calling on the EU Member States and the European institutions to open discussions with the US authorities in order to find a political, legal and technical solution that enables companies to transfer personal data to the US in compliance with respect for fundamental rights. Such solutions could be found through the negotiations of an intergovernmental agreement providing stronger guarantees to EU data subjects“. It is interesting to note that the WP 29 does say that “the current negotiations around a new Safe Harbor could be a part of the solution” and so it has willingly left that window open.

The WP 29 also states: “The task that lies ahead to find a sustainable solution in order to implement the CJEU’s decision must be shared between the DPAs, the EU institutions, EU Member States and businesses“. With the GDPR soon to be adopted, this will be a challenge to get all the stakeholders to agree on a new Safe Harbor framework that complies with the provisions of the GDPR.

Reaction of the regulators in other parts of the world

The Safe Harbor decision has also caused a ripple effect beyond the European Union borders and regulators in other parts of the world have also reacted to the CJEU’s decision.

United States:

The US Department of Commerce published an advisory on the Safe Harbor website stating: “In the current rapidly changing environment, the Department of Commerce will continue to administer the Safe Harbor program, including processing submissions for self-certification to the Safe Harbor Framework“. Once fails to see how the Department of Commerce can actually continue to process submissions for self-certification to Safe Harbor when clearly such transfers are now unlawful under European law.


On October 19th, the Israeli Law, Information and Technology Authority (ILITA) issued a statement in which it revokes its prior authorization to transfer data from Israel to the U.S. on the basis of Safe Harbor. Pursuant to the data protection laws of Israel, transfers of data outside of Israel to third countries is permitted if the data is sent to a country that receives data from the EU under the same terms of acceptance. However, the CJEU’s decision invalidates the authorization to transfer personal data from Europe to companies committed to the Safe Harbor. Consequently, the position of ILITA is that organizations can no longer rely on this derogation as a basis for the transfer of personal data from Israel to organizations in the United States.

In the absence of an alternative valid arrangement or another formal decision of the EU with respect to the transfer of data from the EU to the US, companies who want to transfer personal data from Israel to the US are therefore required to assess whether they can legitimize their transfers on one of the other derogations set out in the data protection law of Israel.


On 7th October, 2015, the Swiss Data Protection Authority (FDPIC) issued a first press release on its website stating that the Swiss/US Safe Harbor decision “is also called into question” by the CJEU’s decision. “As far as Switzerland is concerned, in the event of renegotiation, only an internationally coordinated approach that includes the EU is appropriate.”

On 22nd October 2015, the FDPIC made a second statement which says that “as long as Switzerland has not renegotiated a new Safe Harbor Framework with the United States, Safe Harbor cannot be deemed a valid legal mechanism for transferring personal data to the US.” It would seem, therefore, that without officially revoking the Swiss/US Safe Harbor program, it is de facto no longer possible for Swiss based companies to transfer personal data to the US on the grounds of Safe Harbor.

Without explicitly mentioning any enforcement actions, the FDPIC calls upon businesses who are transferring personal data to the US to adapt their contracts with US companies before the end of January 2016. The FDPIC will also coordinate with the EU DPAs to determine what other actions may be required to protect the fundamental rights of the individuals.

By Olivier Proust

Europe now holds the key to the future of privacy

Posted on October 10th, 2015 by

A lot is being said about the CJEU’s ruling on Safe Harbour. Without any doubt, for the privacy community this is the most important legal development since the EU Commission’s announcement of a revision to the Data Protection Directive of 1995. What the Court’s ruling shows us is that privacy has become a major area of law and an absolute priority in terms of compliance for any company.

Among the many issues that this decision raises, I’d like to focus on two key issues. The first is enforcement. Many companies are wondering what is the risk for them now that Safe Harbor has been pronounced invalid. As a lawyer, I believe there is no point in arguing the CJEU’s ruling (click here to read our analysis of the CJEU’s ruling in the Max Schrems case). Some may disagree with it, but it is now the law in Europe, and we need to accept it.

As a practitioner, however, I think we need to analyse the Court’s decision in a practical and pragmatic manner. Strictly from a legal point of view, the CJEU’s decision leaves no room for interpretation: Safe Harbor is invalid, and so companies can no longer rely on it to transfer their data to the U.S. But, in practical terms, it is unrealistic to think that EU companies will suddenly pull the plug and stop transferring their data to the U.S.

Technically, I’m not sure this is feasible, and, certainly, this would have a devastating effect on our economy and on the relations between the EU and the U.S. It also seems unlikely that the national data protection authorities (DPAs) will suddenly begin to investigate companies, or worse, to sanction them because they continue to transfer personal data to the U.S. Let us not forget that in many EU member states, the national DPAs have approved the transfers of data to the U.S. on the basis of Safe Harbor. In my opinion, it would make no sense, and would serve no real purpose, if the DPAs would suddenly repeal the approvals that they have granted to thousands of companies over the last 15 years.

That is not to say that the DPAs will take no action. On the contrary, there is now a high expectation for companies to reassess their data flows and, where needed, to implement new measures for transferring data outside the EU. It is also important to note that, while Safe Harbor can no longer be used as a legal basis for transferring data outside the EU, the measures that companies have put in place to comply with the Safe Harbor principles should remain valid. In the end, what really matters is whether and how companies are safeguarding the data they transfer outside the EU, regardless of the legal basis on which they rely to do so. And so, as a short-term solution, a decision from the DPAs to grant companies a grace period that would allow them to leverage the efforts they have made in the past in order to transition toward another data-transfer mechanism would certainly be welcome. At the same time, let’s not be naïve. The CJEU’s ruling empowers the DPAs tremendously and, once the General Data Protection Regulation (GDPR) is finally adopted, they will have unprecedented powers to investigate and sanction companies. So the clock has already begun to tick for those companies that were relying on Safe Harbor…

The second point I’d like to make is that the national DPAs have here a unique opportunity to send a clear and consistent message to the world. Some people are already commenting—rightfully so!—that there is risk that the court’s decision will be interpreted differently by the DPAs in their respective jurisdictions, which would result in a patchwork of different interpretations and solutions across Europe. Well, I think the situation demands that the Article 29 Working Party adopt a common and unified position. Too often, Europe has been criticised for its lack of harmonisation and its fragmented approach to law. Now is the moment to show the world that Europe can speak in harmony. If the DPAs fail to seize this moment, the risk is that the relations between the EU and the U.S. will be significantly damaged, and this will leave literally thousands of companies in a limbo.

As for the issue regarding the disclosure of personal data to foreign authorities, which is really the pivotal issue here, the CJEU’s ruling has repercussions beyond Safe Harbor because it concerns data transfers as a whole—meaning that the analysis can be applied to adequacy decisions, the EU model clauses and Binding Corporate Rules. Thus, the CJEU’s decision calls for EU legislators to adopt a coherent and consistent position on this issue across the different legal frameworks that are currently being prepared: the GDPR, the “new” Safe Harbor framework and the so-called Umbrella Agreement on the transfers of personal data between the EU and the U.S. for justice and law-enforcement purposes. And so, once again, consistency seems to be the key word to ensure that a fair balance is found between the protection of the individual’s privacy and the freedom to conduct business—both of which are fundamental rights under the European Charter of Fundamental Rights.

Europe may be holding the key to the future of privacy, but it needs to embrace this future with a clear, pragmatic and realistic vision. Otherwise, I fear the upcoming GDPR will fail to achieve its goal.

This article was first published in the IAPP’s Europe Data Protection Digest on 9th October 2015.

What data protection reform would look like if it were up to me.

Posted on September 16th, 2015 by

Earlier today I attended a superb session of the Churchill Club in Palo Alto, at which the European Data Protection Supervisor was speaking on data protection and innovation.  As he spoke about the progress of the EU General Data Protection Regulation and what its impacts would be upon business, I found myself given to thinking about what EU data protection reform would be like if it were up to me.

Of course, this is by definition somewhat of a navel gazing exercise because EU data protection reform is not up to me.  Nevertheless, I thought I would at least share some of my thoughts to see to what extent they strike a chord with readers of our blog – and, perhaps, even reach the ears of those who do make the law.

So, if you’ll allow me this indulgence, here’s what my reforms would do:

1.  They would strike a balance between supporting privacy rights, economic and social well-being and innovation.  Fundamentally, I support the overarching goals of the GDPR described in its recitals – namely that “the principles and rules on the protection of individuals with regard to the processing of their personal data should …. respect their fundamental rights and freedoms, notably their right to protection of personal data” and that those rules should “contribute to an area of freedom, security and justice …, to economic and social progress, … and the well-being of individuals.”  Yet, sometimes within the draft texts of the GDPR, this balance has been lost, with provisions swinging so far towards conservatism and restrictiveness, that promotion of economic progress – including, critically for any economy, innovation – gets lost.  If it were up to me, my reforms would endeavour to restore this balance through some of the measures described below.

2.  They would recognize that over-prescription drives bad behaviours.  A problem with overly-prescriptive legislation is that it becomes inherently inflexible.  Yet data protection rules need to apply across all types of personal data, across all types of technologies and across all sectors.  Inevitably, the more prescriptive the legislation, the less well it flexes to adapt to ‘real world’ situations and the more it discourages innovation – pushing otherwise would-be good actors into non-compliance.  And, when those actors perceive compliance as unobtainable, their privacy programs become driven by concerns to avoid risk rather than to achieve compliance – a poor result for regulators, businesses and data subjects alike.  For this reason, my data protection reforms would focus on the goals to be achieved (data stays protected) rather than on the means of their achievement (e.g. specifying internal documentation needs).  This is precisely why the current Data Protection Directive has survived as long as it has.

3.  They would provide incentives for pseudonymisation.  Absent a few stray references to pseudonymisation here and there across the various drafts of the GDPR, there really is very little to incentivise adoption of pseudonymisation by controllers – psuedonymised data are protected to exactly the same standard as ‘ordinary’ personal data.  Every privacy professional recognizes the dangers of re-identification inherent in pseudonymised data, but treating it identically to ordinary personal data drives the wrong behaviour by controllers – perceiving little to no regulatory benefit to pseudonymisation, controllers decline to adopt pseudonymisaion for cost or other implementation reasons.  My reforms would explore whether pseudonymisation could be incentivised to encourage its adoption, for example by relaxing data minimization, purpose limitation or data export rules for pseudonymised data, in addition to existing proposals for relaxed data breach notification rules.

4.  They would recognize the distinct role of platforms.  European data protection professionals still operate in a binary world – businesses are either ‘data controllers’ or ‘data processors’.  Yet, increasingly, this binary division of responsibility and liability doesn’t reflect how things operate in reality – and especially in an app-centric world operating over third party cloud or mobile platforms.  The operators of these platforms don’t always sit neatly within a ‘controller’ or a ‘processor’ mold yet, vitally, are the gatekeepers through which the controllers of apps have access to the highly sensitive information we store on their platforms – our contact lists, our address books, our health data and so on.  We need an informed debate as to the role of platforms under revised data protection rules.

5.  They would abandon outdated data export restrictions.  It’s time to have a grown up conversation about data exports, and recognize that current data export rules simply do not work.  Who honestly believes that a model contract protects data?  And how can European regulators promote Binding Corporate Rules as a best practice standard for data export compliance, but then insist on reviewing each and every BCR applicant when they are too poorly resourced to do so within any kind of commercially acceptable timescale?  And how can we possibly complain about the US having poor Safe Harbor enforcement when we have little to no enforcement of data export breaches at home in the EU?  Any business of scale collects data internationally, operates internationally, and transfers data internationally; we should not prohibit this, but should instead have a regulatory framework that acknowledges this reality and requires businesses to self-assess and maintain protection of data wherever it goes in the world.  And, yes, we should hold businesses fully accountable when they fail to do so.

6.  They would recognise that consent is not a panacea.  There’s been a strong narrative in Europe for some time now that more data processing needs to be conditioned on individuals’ consent.  The consensus (and it’s not a wholly unfair one) is that individuals have lost control of their data and consent would somehow restore the balance.  It’s easy to have sympathy for this view, but consent is not all it’s cracked up to be.  Think about it, if consent were a requirement of processing, how would businesses be forced to respond?  Particularly within the European legislative environment that considers almost all types of data to be ‘personal’ and therefore regulated?  The answer would be a plurality of consent boxes, windows and buttons layered across every product and service you interact with.  And, to make matters worse, the language accompanying these consents would invariably become excessively detailed and drafted using ‘catch-all’ language to avoid any suggestion that the business failed to collect a sufficiently broad consent.  Clearly, there are places where consent is merited (collection and use of sensitive data being a prime example) but for other uses of data, a well-structured data protection regime would instead promote the use of legitimate interests and other non-consent based grounds for data processing – backed, of course, by effective regulatory audit and sanctions in order to provide the necessary checks and balances.

So there you have it.  Those are just a few of my views – I have others, but I’ll spare you them for now, and no doubt you’ll have views of your own.  If you agree with the views above, then share them; if you don’t, then share them anyway and continue the debate.  We’ll only ever achieve an appropriate regulatory framework that balances the needs of everyone if we all make our voices heard, debate hard, and strive to reach consensus on the right data protection regime fit for the future!

Handling government data requests under Processor BCR

Posted on June 2nd, 2015 by

Earlier today, the Article 29 Working Party published some new guidance on Processor BCR. There’s no reason you would have noticed this, unless you happen to be a BCR applicant or regularly visit the Working Party’s website, but the significance of this document cannot be overstated: it has the potential to shape the future of global data transfers for years to come.

That’s a bold statement to make, so what is this document – Working Party Paper WP204 “Explanatory Document on the Processor Binding Corporate Rules” – all about? Well, first off, the name kind of gives it away: it’s a document setting out guidance for applicants considering adopting Processor BCR (that’s the BCR that supply-side companies – particularly cloud-based companies – are all rushing to adopt). Second, it’s not a new document: the Working Party first published it in 2013.

The importance of this document now is that the Working Party have just updated and re-published it to provide guidance on one of the most contentious and important issues facing Processor BCR: namely how Processor BCR companies should respond to government requests for access to data.

Foreign government access to data – the EU view

To address the elephant in the room, ever since Snowden, Europe has expressed very grave concerns about the ‘adequacy’ of protection for European data exported internationally – and particularly to the US. This, in turn, has led to repeated attempts by Europe to whittle away at the few mechanisms that exist for lawfully transferring data internationally, from the European Commission threatening to suspend Safe Harbor through to the European Parliament suggesting that Processor BCR should be dropped from Europe’s forthcoming General Data Protection Regulation (a suggestion that, thankfully, has fallen by the wayside).

By no means the only concern, but certainly the key concern, has been access to data by foreign government authorities. The view of EU regulators is that EU citizens’ data should not be disclosed to foreign governments or law enforcement agencies unless strict mutual legal assistance protocol has been followed. They rightly point out that EU citizens have a fundamental right to protection of their personal data, and that simply handing over data to foreign governments runs contrary to this principle.

By contrast, the US and other foreign governments say that prompt and confidential access to data is often required to prevent crimes of the very worst nature, and that burdensome mutual legal assistance processes often don’t allow access to data within the timescales needed to prevent these crimes. The legitimate but conflicting views of both sides lead to the worst kind of outcome: political stalemate.

The impact of foreign government access to data on BCR

In the meantime, businesses have found themselves trapped in a ‘no man’s land’ of legal uncertainty – the children held responsible for the sins of their parent governments. Applicants wishing to pursue Processor BCR have particularly found themselves struggling to meet its strict rules concerning government access to data: namely that any “request for disclosure should be put on hold and the DPA competent for the controller and the lead DPA for the BCR should be clearly informed about it.” (see criteria 6.3 available here)

You might fairly think: “Why not just do this? If a foreign government asks you to disclose data, why not just tell them you have to put it on hold until a European DPA sanctions – or declines – the disclosure?” The problem is that reality is seldom that straightforward. In many jurisdictions (and, yes, I’m particularly thinking of the US) putting a government data disclosure order “on hold” and discussing it with a European DPA is simply not possible.

This is because companies are typically prohibited under foreign laws from discussing such disclosure orders with ANYONE, whether or not a data protection authority, and the penalties for doing so can be very severe – up to and including jail time for company officers. And let’s not forget that, in some cases, the disclosure order can be necessary to prevent truly awful offences – so whatever the principle to be upheld, sometimes the urgency or severity of a particular situation will simply not allow for considered review and discussion.

But that leaves companies facing the catch-22. If they receive one of these orders, they can be in breach of foreign legal requirements for not complying with it; but if they do comply with it, they risk falling foul of European data protection rules. And, if you’re a Processor BCR applicant, you might rightly be wondering how on earth you can possibly give the kind of commitment that the Working Party expects of you under the Processor BCR requirements.

How the Working Party’s latest guidance helps

To their credit, the Working Party have acknowledged this issue and this is why their latest publication is so important. They have updated their BCR guidance to note that “in specific cases the suspension and/or notification [to DPAs of foreign government data access requests] are prohibited”, including for example “a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation”. In these instances, they expect BCR applicants to use “best efforts to obtain the right to waive this prohibition in order to communicate as much information as it can and as soon as possible”.

So far, so good. But here’s the kicker: they then say that BCR applicants must be able to “demonstrate” that they exercised these “best efforts” and, whatever the outcome, provide “general information on the requests it received to the competent DPAs (e.g. number of applications for disclosure, type of data requested, requester if possible, etc.)” on an annual basis.

And therein lies the problem: how does a company “demonstrate” best efforts in a scenario where a couple of NSA agents turn up on its doorstep brandishing a sealed FISA order and requiring immediate access to data? You can imagine that gesticulating wildly probably won’t cut it in the eyes of European regulators.

And what about the requirement to provide “general information” on an annual basis including the “number of applications for disclosure”? In the US, FISA orders may only be reported in buckets of 1,000 orders – so, even if a company received only one or two requests in a year, the most it could disclose is that it received between 0 and 999 requests, making it seem like government access to their data was much more voluminous than in reality it was.

I don’t want problems, I want solutions!!!

So, if you’re a Processor BCR applicant, what do you do? You want to see through your BCR application to show your strong commitment to protecting individuals’ personal data, and you certainly don’t want to use a weaker solution, like Model Clauses or Safe Harbor that won’t carry equivalent protections. But, at the same time, you recognize the reality that there will be circumstances where you are compelled to disclose data and that there will be very little you can do – or tell anyone – in those circumstances.

Here’s my view:

  • First off, you need a document government data access policy. It’s unforgivable in this day and age, particularly in light of everything we have learned in the past couple of years, not to have some kind of written policy around how to handle government requests for data. More importantly, having a policy – and sticking to it – is all part and parcel of demonstrating your “best efforts” when handling government data requests.
  • Second, the policy needs to identify who the business stakeholders are that will have responsibility for managing the request – and, as a minimum, this needs to include the General Counsel and, ideally, the Chief Privacy Officer (or equivalent). They will represent the wall of defense that prevents government overreach in data access requests and advise when requests should be challenged for being overly broad or inappropriately addressed to the business, rather than to its customers.
  • Third, don’t make it easy for the government. They want access to your data, then make them work for it. It’s your responsibility as the custodian of the data to protect your data subject’s rights. To that end, ONLY disclose data when LEGALLY COMPELLED to do so – if access to the data really is that important, then governments can typically get a court order in a very short timeframe. Do NOT voluntarily disclose data in response to a mere request, unless there really are very compelling reasons for doing so – and reasons that you fully document and justify.
  • Fourth, even if you are under a disclosure order, be prepared to challenge it. That doesn’t necessarily mean taking the government to court each and every time, but at least question the scope of the order and ask whether – bearing in mind any BCR commitments you have undertaken – the order can be put on hold while you consult with your competent DPAs. The government may not be sympathetic to your request, particularly in instances of national security, but that doesn’t mean you shouldn’t at least ask.
  • Fifth, follow the examples of your peers and consider publishing annual transparency reports, a la Google, Microsoft and Yahoo. While there may be prohibitions against publishing the total numbers of national security requests received, the rules will typically be more relaxed when publishing aggregate numbers of criminal data requests. This, in principle, seems like a good way of fulfilling your annual reporting responsibility to data protection authorities and – in fact – goes one step further: providing transparency to those who matter most in this whole scenario, the data subjects.
  • So why does the Working Party’s latest opinion matter so much? It matters because it’s a vote of confidence in the Processor BCR system and an unprecedented recognition by European regulatory authorities that there are times when international businesses really do face insurmountable legal conflicts.

    Had this opinion not come when it did, the future of Processor BCR would have been dangerously undermined and, faced with the prospect of Safe Harbor’s slow and painful demise and the impracticality of Model Clauses, would have left many without a realistic data export solution and further entrenched a kind of regulatory ‘Fortress Europe’ mentality.

    The Working Party’s guidance, while still leaving challenges for BCR applicants, works hard to strike that hard-to-find balance between protecting individuals’ fundamental rights and the need to recognize the reality of cross-jurisdicational legal constraints – and, for that, they should be commended.

    EU data exports – choosing the least worst option?

    Posted on April 3rd, 2015 by

    Data, as anyone doing privacy on a global scale will tell you, knows no boundaries.  It can be collected in country A, routed through countries B, C, and D, and come to rest on servers in country E.  Those servers are likely then maintained by a third party in country F, with subcontracted support from another third party provider in country G.
    All that is well and good, but what do you do when country A happens to be within Europe, and any one or more of countries B through G are outside of Europe?  Europe’s aging Data Protection Directive tells you that if any of that data is personal in nature, then its transfer outside of the Europe is forbidden.  Forbidden, that is, unless you have an “adequate” data export solution in place.
    So the good news is that you can export data internationally if you have an “adequate” solution in place, and the even better news is that there’s not one solution but three!  Phew!  Your choices are either:
    • sign up to the US-EU Safe Harbor Framework – a voluntary privacy framework for US-based importers of data, 
    • execute so-called EU Model Clauses – also known as Standard Contractual Clauses) – standard form, non-negotiable data export agreements approved by the European Commission, or
    • implement Binding Corporate Rules – a binding organizational data governance policy framework reviewed and approved by European data protection authorities.
    So far, so good.  But then comes the problem: each of these solutions suffers from some serious drawbacks that either makes it commercially infeasible (Model Clauses), mistrusted by European customers and regulators (Safe Harbor), or subject to a lengthy regulatory approval process that  puts off well-intentioned businesses that would otherwise be willing to adopt it (BCR).
    A perilous future for Safe Harbor?
    To illustrate the issue, today roughly 4,000 US businesses rely on Safe Harbor to import personal data from Europe.  However, following the Snowden revelations, European legislators and regulators are increasingly reluctant to recognize the validity of Safe Harbor – believing that it no longer (or perhaps, never) provides “adequate” protection for data and, as such, should be suspended or revoked.  See here and here, for example.
    Indeed, one case currently before the European Court of Justice, may well decide Safe Harbor’s fate once and for all.  In Schrems v the Irish Data Protection Commissioner (Case C-362/14), one of the points the Court has to consider is whether Safe Harbor does in fact provide “adequate” protection for European data exports; if it decides the answer is no, then Safe Harbor could well be over.
    But, frankly, whether or not that happens is largely an academic point.  Many US importers already find EU customers will refuse to contract with them if they rely on Safe Harbor.  And, even if it survives this court case, the European Commission has been threatening for some time to suspend Safe Harbor.  With this level of ongoing uncertainty, it’s inevitable that businesses are looking to other options available to them
    The problem with Model Clauses

    In nearly all cases, they next turn to Model Clauses as the solution to their data export woes.  On one level, doing so makes a lot of sense: Model Clauses are the darling of the regulatory community (after all, they created them), contain robust data protection terms, and so are often considered a ‘guaranteed compliant’ solution for the customers that use them.
    The reality, though, is something different.  Model Clauses neither provide the protection for data that customers and regulators think they do, nor are they actually complied with in practice – more often than not, they’re signed, put in a drawer and forgotten about.  For data importing vendors, they are also woefully impractical – containing subcontracting controls that are unrealistic, excessive audit rights, and no liability limitations.  And, to add to all this, where lengthy international subcontracting chains are involved, exporters and importers will often be looking an an extremely complicated web of Model Clause contracts to prepare and sign.
    Taking that all into account, what right-minded person would really want to entrust any transfer of data to something so complicated and unworkable in practice?
    Which leaves BCRs
    With Safe Harbor on its last legs, and model clauses suffering from all manner of problems, then the final remaining solution available to data importers is Binding Corporate Rules.  In themselves, BCRs are a fine solution and often thought of (rightly) as the gold standard for data exports from the EU – after all, they have to get reviewed and signed off by European regulators.  
    Further, the business adopting BCRs gets to draft them in a way that reflects the particular characteristics and needs of their organization and, once in place, BCRs can be self-managed by the business with minimal ongoing maintenance and regulatory oversight. The consequence of this is that they significantly reduce administrative burden and, for large organizations, even cost as compared with model clauses.
    But their single biggest drawback is the lack of any simple approval or self-certification process.  Adopting BCR, as anyone who’s been through the process knows, is not quick or straightforward.  While the end result is undoubtedly positive, the regulatory approval process typically takes around 18 months from start to finish.  Many organizations, faced with pressing data export needs, simply don’t have the time to hang around and so turn to quicker, off-the-shelf solutions.  
    So what do you do?
    The simple reality right now is that Europe has no good solution for facilitating international data exports, which is in stark contrast to increasingly globalized movements and storage of data.  Yet, be that as it may, data export compliance is an important component of European privacy law, and one that will not get any simpler in the short- to mid-term.
    Businesses are therefore left to consider what will be the most appropriate solution for their needs.  For US businesses, that will still often be Safe Harbor, but on the understanding that this cannot be relied upon as an “exclusive” solution for all their data exports needs and that, in many cases, they still need to be prepared to sign Model Clauses with important customers who insist on them.
    What is the most appropriate data export strategy for an international business then?  Here’s my suggestion:
    1. If you’re a US business, rely on Safe Harbor to the extent you can.
    1. Where you can’t, or if you are sending data to other non-EU countries, use Model Clauses (there’s really very little alternative).
    1. But, to provide a more effective longer term solution, start the process now of preparing for and adopting BCR.  Once implemented, these will ultimately be a far more efficient solution that can replace the awkward pairing of Safe Harbor and Model Clause solutions.
    So while there’s no good solution, with some careful strategizing and forward thinking, you may at least get to a place that is – for want of a better word – adequate.

    Towards more harmonization on the EU model clauses

    Posted on December 8th, 2014 by

    On November 26th, 2014, the Article 29 Working Party (“WP 29”) issued a document setting forth a cooperation procedure regarding the use of the EU model clauses in the context of international data transfers. The aim of this document is to facilitate the use of the EU model clauses across multiple jurisdictions in Europe while ensuring a harmonized and consistent approach to the way these model clauses are approved by the national data protection authorities (“DPAs”).


    General rule

    As a general rule, organizations who use the standard contractual clauses that were adopted by the European Commission to frame their transfers of data outside the EEA cannot change them unless they seek the prior approval of the DPAs of the Member States from where transfers are taking place. Nonetheless, companies may include the standard contractual clauses in a wider contract and add specific clauses such as commercial clauses (as permitted under paragraph VII of the model clauses 2004/915/EC, clause 10 of the model clauses 2010/87/EC and recital 84 of the proposed Data Protection Regulation) as long as they do not contradict, directly or indirectly, the standard contractual clauses or prejudice the rights or freedoms of the data subjects. For example, it is possible to include additional guarantees or procedural safeguards for the individuals (e.g., on-line procedures or relevant provisions contained in a privacy policy).

    Need for authorizations

    In many EU Member States, a national authorization is required for the use of ad hoc contracts (e.g., Austria, Belgium, France, Germany (in some Länder), the Netherlands, Poland or Spain) or for transferring data outside the EEA on the basis of the EU model clauses (e.g., Austria, France or Spain). In practice, there has been a discrepancy between some DPAs who have traditionally been opposed to accepting any form of amendment to the model clauses and those who accept certain changes where they do not contradict the requirements under the model clauses.

    Purpose: Obtaining an ad hoc approval from those DPAs can be challenging, thus making it complicated for international organizations to implement ad hoc model clauses or intra-group data transfer agreements in the different EEA countries where their affiliates are located. As a consequence, this has created a legal risk for organizations because DPAs in different jursidictions might adopt a different position with regard to an organization’s contractual clauses.

    For this reason, the WP29 has created a new cooperation procedure with a view to providing a more harmonized interpretation of the EU model clauses and adopting a common approach when reviewing the contracts used by organizations that are based on the EU model clauses.

    Scope: This new cooperation procedure applies to both sets of model clauses that were adopted by the EU Commission covering controller-to-controller (2004/915/EC) and controller-to-processor (2010/87/EC) data transfers and is meant to be used where:

    • an organization wants to use a single set of contractual clauses that are based on the EU model clauses (but with some divergences such as additional clauses);
    • in different EEA Member States;
    • in order to frame a same type or similar transfers from different EEA Member States; and
    • this organisation wants to obtain a coordinated position of the competent DPAs regarding its proposed contract, and in particular, to verify whether this contract complies with the EU model clauses.

    For example, this would be the case in certain corporate groups, where data systems may be centralized outside the EEA, and subsequently, the same set of contractual clauses are signed by the different EEA subsidiaries (e.g., by means of an intra-group data transfer agreement). The WP 29’s document does not provide any specific examples, but one can expect that the DPAs will review a company’s contractual clauses on the basis of a pre-established list of criteria with a view to approving or rejecting changes that are made to the model clauses. Where such divergences have no impact on whether the contract complies with the EU model clauses, then it is not required to follow this procedure.

    It is not entirely clear whether this procedure can be used for transfers between an EEA processor and a non-EEA sub-processor. Earlier this year, the WP29 issued a draft version of its ad hoc model clauses covering such transfers, but these model clauses have yet to be formally drafted and adopted by the EU Commission, which is not yet the case (see our previous blog article).

    Procedure: The cooperation procedure is largely inspired by, and based on, the actual approval procedure for Binding Corporate Rules (“BCR”). At the beginning of the procedure, the organization must send a copy of its contract clearly highlighting all the divergences and additional clauses to a lead DPA. Once the lead DPA is approved, a formal review of the organization’s contract is carried out by the lead DPA to verify its conformity with the EU model clauses. For example, the lead DPA will verify whether the proposed contract is:

    – based on the EU model clauses;

    – diverts from, or contradicts, the EU model clauses; or

    – prejudices the rights of the individuals.

    Where the data are transferred from more than 10 Member States, two other DPAs will be appointed as co-reviewers. In all other situations, only one reviewer will be appointed in addition to the lead DPA. Once the lead DPA is satisfied that the contract complies with the EU model clauses, it issues an opinion in a draft letter and communicates the draft letter, the proposed contract and its analysis to the co-reviewer(s) who has one month to provide its comments. Following that, the draft letter is then sent to the remaining DPAs (in the countries where data are being transferred) who are part of the mutual recognition (they simply acknowledge receipt of the documentation without reviewing in detail) and to those who are part of the cooperation procedure (they have one month to review and provide their comments).

    Once all the DPAs have reviewed, the lead DPA signs the letter of opinion on behalf of all DPAs concerned and sends the letter to the organization, indicating whether the proposed contract is compliant with the EU model clauses. From that moment on, the procedure is closed and the organization may then obtain the necessary approval or permit in the different Member States for the transfer of data outside the EEA.

    Limitations: A significant difference with the BCR approval procedure is that the purpose of the coordination procedure for model clauses is not for the DPAs to approve an organization’s contract as a whole, but rather to assess whether the proposed contract complies with the requirements under the EU model clauses. In other words, where the proposed contract integrates the EU model clauses within a wider commercial agreement, the lead DPA will review the contractual clauses that relate to data transfers, but will not review or adopt any opinion regarding the broader commercial terms of the agreement.

    This was clearly expressed by the CNIL in a press release issued on 24 April 2014 in which the CNIL stated, when referring to Microsoft’s “ad hoc model clauses”, that the WP 29 had considered that the documents provided by Microsoft complied with the data transfer requirements under the EU model clauses, but had not assessed whether Microsoft’s contractual clauses as a whole complied with EU data protection law, nor that Microsoft complied with those rules in practice. In other words, the WP 29 simply agreed that Microsoft had taken the necessary precautions to frame its international data transfers as required by article 26 of the Data Protection Directive.

    Furthermore, the lead DPA’s  letter of opinion does not exclude that permits or authorizations at a national level may be legally required and companies may also be required to comply with other national requirements, such as notifications or administrative formalities with the DPAs. In particular, where permits or authorizations are legally required, national DPAs may still analyse the annexes and the description of the transfer in order to assess whether these are lawful under applicable national laws. In practise, this could mean that following the issuance of a letter of opinion, the organization in question may still need to put in place specific contractual terms to address the national requirements that apply to their local affiliates (e.g., specific security provisions to comply with laws in Spain or Poland) and in any case, will need to obtain a formal approval for the transfer of data where required. Nonetheless, this cooperation procedure may facilitate the administrative formalities under national law, and in theory, the DPAs in the countries concerned should comply with the opinion given by the lead DPA when issuing their permits or authorizations under national law.

    Advantages: The main advantage of this procedure is that it will provide more clarity and legal certainty for organizations who want to put in place a single set of contractual clauses based on, or incorporating, the EU model clauses and are therefore seeking a common and coordinated position of the DPAs as to whether their contract complies with the EU model clauses. In that sense, the WP 29 has introduced some degree of flexibility by enabling organizations to depart from the EU model clauses and to tailor their contracts to each organization.

    It also provides more clarity and a more harmonized interpretation of the EU model clauses by the DPAs, and in particular, makes it easier for organizations to use ad hoc contracts or intragroup agreements in countries where DPAs have traditionally been reluctant to approving such contracts. Consequently, this should enable organizations to adopt a more harmonized and consistent approach when rolling out their data transfer agreements across Europe.

    Disadvantages: The downside is that in creating a new review process for model clauses, which previously did not exist, the WP 29 could make it more burdensome in some cases to use the EU model clauses. Depending on the time it takes for the lead DPA to issue its letter of opinion, there is a risk that the overall time needed for an organisation to obtain the necessary premit or approval from the various DPAs before implementing its contractual clauses will be stretched.

    This procedure also puts organizations under more scrutiny by the DPAs. Officially, the cooperation procedure for model clauses is not obligatory, but nonetheless organizations will be pressured to follow it if their contracts depart from the EU model clauses. In practice, this means that rolling out ad hoc contracts or intra-group agreements will become less straightforward, and on the contrary, will be more formalized.

    Finally, this procedure does not change the fact that, contrary to BCR, the EU model clauses do not constitute, and do not serve the purpose of, a group’s global policy. And so, organizations will inevitably need to have different sets of clauses to frame their data transfers as controller and processor, whereas BCR can be used as a single set of rules to frame all transfers both as a controller and a processor.



    Event alert: The new mechanism for international data transfers – APEC’s CBPRs demystified

    Posted on October 2nd, 2014 by

    On Friday 3 October, Fieldfisher will host an afternoon event entitled “The new mechanism for international data transfers – APEC’s CBPRs demystified” at our new offices in London.

    The event is designed to demonstrate how Cross Border Privacy Rules (“CBPRs”) and Binding Corporate Rules (“BCRs”) can be utilised to facilitate global data protection compliance. Hazel Grant, Fieldfisher’s new Head of Privacy, will chair the event which will also feature presentations from Anick Fortin-Cousens of IBM and Myriam Gufflet of the French data protection regulator (“CNIL”).

    • Ms Fortin-Cousens, leader of IBM’s Corporate Privacy Office and IBM’s CPO for Canada, Latin America and MEA, will provide a practical insight into CBPR. Earlier this year IBM became the first organisation to obtain Asia-Pacific Economic Cooperation’s (“APEC”) CBPR certification.
    • Ms Gufflet, BCR Division Manager at the CNIL, will tell us about the potential interoperability between BCRs and CBPRs. The CNIL have been closely involved in the work of the joint EU-APEC committee on this topic and was appointed as the Article 29 Working Party’s rapporteur in this matter.

    This event is aimed at legal counsel and privacy/compliance professionals in organizations with a global reach who would be interested in understanding how CBPR certification may improve their organization’s data protection global compliance

    Networking drinks will follow the event and will allow attendees to meet privacy, e-commerce and technology law experts from a number of European countries (Austria, Belgium, Czech Republic, Denmark, Finland, France, Germany Hungary, Italy, the Netherlands, Poland, Portugal, Spain, Sweden, Switzerland and the UK) who form the Ecomlex network (

    A limited number of places remain available for the event. If you would like to attend, please register your interest by clicking on the following link–-apecs-cbprs-demystified#sthash.978Xa0wU.dpbs


    Challenges in global data residency laws – and how to solve them

    Posted on September 13th, 2014 by

    Whoever would have thought that, in a world where it seems nearly everything is connected, we would still have laws requiring that data be held within specific territories or regions?  Yet it seems that as more and more data moves online, is stored in the cloud, and gets transmitted all around the world and back in the blink of an eye, governments become ever more determined to introduce territorial restrictions limiting the movement of data.

    The best known example of this is the EU’s Data Protection Directive which forbids movement of personal data outside of Europe to territories that do not provide “adequate” data protection – or, in layman’s speak, territories that the EU doesn’t consider to be safe.  This rule can be dated back to a technological world where data sat in a single database on a single server, and legislators sought to guard against businesses moving data outside of the EU in an attempt to circumvent European data protection laws.  Against that backdrop, it was a very sensible rule to introduce.  20 years on from its adoption, it now starts to look a little long in the tooth.

    The problem is that legislative and regulatory thinking hasn’t advanced a great deal in that time.  Within those communities, there’s still a perception that data can, somehow, be kept within a single territory or region and not accessed or transmitted beyond those boundaries – or that, if it must, then implementing a standard form data protection agreement (so-called “model clauses”) between the ‘data exporter’ and the ‘data importer’ somehow solves the problem.

    But here’s the thing: it doesn’t.  Denying that international data movements are an integral and necessary part of the global data economy is like denying that the earth moves round the sun.  Spend any time dealing with cloud vendors, or social media platforms, or interest based advertising providers, and you’ll quickly learn that data gets stored in multiple geographic locations, often through chains of different subcontractors, and tens, hundreds and perhaps even thousands of different databases.  With that knowledge, legislating that data should be kept in-territory or in-region is at best pointless.  At worst, it’s economically disastrous.

    More than that, thinking that a ‘one size fits all’ set of model clause terms will somehow prove relevant across the multiplicity of different online business models that exist out there – or (and let’s be honest) that businesses executing those terms can and will actually comply with them – is nothing but a bad case of denial.

    But despite this, these so-called ‘data residency’ laws only seem to be growing in favour – inevitably spurred in part through both post-Snowden mistrust of other countries’ data protection regimes and in part through misguided economic self-interest.  Other than the 31 countries in the European Economic Area that have adopted data residency requirements, other countries including Israel, Russia, Switzerland and South Africa (in EMEA), Argentina, Canada, Mexico and Uruguay (in the Americas), and Australia, India, Malaysia, Singapore and South Korea (in APAC) all have there own data residency rules.

    The great irony here is that these rules will not prevent international movements of data.  They won’t even hamper them to the slightest degree.  Data will move beyond boundaries just as it always has, only at an ever quicker and more voluminous rate.  All of which begs the question: if data residency rules are to have this head on collision with increasingly globalised use of data, what can businesses do to comply?

    For any large multinational organisation, there really in only one solution: Binding Corporate Rules.  Model clauses contain too many stiff and unworkable provisions that any commercial organisation would be very hesitant to sign – and, once the business reaches any sort of global scale, the prospect of regularly signing exponential numbers of model clauses becomes quickly very unattractive indeed.  Safe harbor is a fine solution, but only for transfers of data from Europe and Switzerland to the US and, with the future of safe harbor currently in doubt, doesn’t offer the longevity on which to build a robust compliance platform.

    So that leave Binding Corporate Rules, which are specifically designed for large multinationals moving large volumes of data and for whom safe harbor and model clauses are not options.  More than that, Binding Corporate Rules have a regulatory recognition that extends beyond Europe – being expressly recognised in many non-EU countries as a valid solution for overcoming strict national data residency rules (Canada, Israel, South Africa, Singapore and Switzerland all being good examples).  And even in territories where Binding Corporate Rules don’t have express regulatory recognition, they’re at least generally tolerated as compliant with local data export regimes.

    In the current political climate, it’s highly unlikely that data residency rules will relax in the short- to mid-term.  At the same time, data protection rules are only set to get stricter and carry greater risk (interesting fact: in 2011 there were 76 countries with data protection laws; by 2013 there were 101; and there are currently another 24 countries with new incoming privacy laws). Businesses with any kind of global footprint need to prepare for this and build out their data governance programs accordingly, with Binding Corporate Rules offering the most widely recognised and future-proofed solution.

    Processor BCR have a bright future

    Posted on July 8th, 2014 by

    Last month, the Article 29 Working Party sent a letter to the President of the European Parliament about the future of Binding Corporate Rules for processors (BCR-P) in the context of the EU’s ongoing data privacy legislative reform.

    The letter illustrates the clear support that BCR-P have – and will continue to have – from the Working Party.  Whilst perhaps not surprising, given that the Working Party originally “invented” BCR-P in 2012 (having initially invented controller BCR way back in 2003), the letter affirms the importance of BCR-P in today’s global data economy.

    “Currently, BCR-P offer a high level of protection for the international transfers of personal data to processors” writes Isabelle Falque-Pierrotin, Chair of the Working Party, before adding that they are “an optimal solution to promote the European principles of personal data abroad.” (emphasis added)

    As if that weren’t enough, the letter also issues a thinly-veiled warning to the European Parliament, which has previously expressed skepticism about BCR-P: “denying the possibility for BCR-P will limit the choice of organisations to use model clauses or to apply the Safe Harbor if possible, which do not contain such accountability mechanisms to ensure compliance as it is provided for in BCR-P.

    The Working Party’s letter notes that 3 companies have so far achieved BCR-P (and we successfully acted on one of those – see here) with a further 10 applications on the go (and, yes, we’re acting on a few of those too).

    Taking the helicopter view, the Working Party’s letter is representative of a growing trend for global organizations to seek BCR approval in preference over other data export solutions: back in 2012, just 19 organizations had secured controller BCR approval; two years later, and today that figure stands at 53 (both controller and processor BCR).

    There are several reasons why this is the case:

    1.  BCR are getting express legislative recognition:  The Commission’s draft General Data Protection Regulation expressly acknowledges the validity of BCR, including BCR-P, as a valid legal solution to EU’s strict data export rules.  To date, BCR have had only regulatory recognition, and then not consistently across all Member States, casting a slight shadow over their longer term future.  Express legislative recognition ensures the future of BCR – they’re here to stay.

    2.  Safe harbor is under increasing strain:  The ongoing US/EU safe harbor reform discussions, while inching towards a slow conclusion, have arguably stained its reputation irreparably.  US service providers that rely on safe harbor to export customer data to the US (and sometimes beyond) find themselves stuck in deal negotiations with customers who refuse to contract with them unless they implement a different data export solution.  Faced with the prospect of endless model clauses or a one-off BCR-P approval, many opt for BCR-P.

    3.  BCRs have entered the customer lexicon:  If you’d said the letters “B C R” even a couple of years ago, then outside of the privacy community only a handful of well-educated organizations would have known what you were talking about.  Today, customers are much better informed about BCR and increasingly view BCR as a form of trust mark (which, of course, they are), encouraging the service sector to adopt BCR-P as a competitive measure.

    4.  BCRs are simpler than ever before:  Gone are the days when a BCR application took 4 years and involved traveling all over Europe to visit data protection authorities.  Today, a well-planned and executed BCR application can be achieved in a period of 12 – 18 months, all managed through a single lead data protection authority.  The simplification of the BCR approval process has been instrumental in increasing BCR adoption.

    So if you’re weighing up the pros and cons of BCR against other data export solutions, then deliberate no longer: BCR, and especially BCR-P, will only grow in importance as the EU’s data export regime gets ever tougher.


    FTC in largest-ever Safe Harbor enforcement action

    Posted on January 22nd, 2014 by

    Yesterday, the Federal Trade Commission (“FTC“) announced that it had agreed to settle with 12 US businesses for alleged breaches of the US Safe Harbor framework. The companies involved were from a variety of industries and each handled a large amount of consumer data. But aside from the surprise of the large number of companies involved, what does this announcement really tell us about the state of Safe Harbor?

    This latest action suggests that the FTC is ramping up its Safe Harbor enforcement in response to recent criticisms from the European Commission and European Parliament about the integrity of Safe Harbor (see here and here) – particularly given that one of the main criticisms about the framework was its historic lack of rigorous enforcement.

    Background to the current enforcement

    So what did the companies in question do? The FTC’s complaints allege that the companies involved ‘deceptively claimed they held current certifications under the U.S.-EU Safe Harbor framework‘. Although participation in the framework is voluntary, if you publicise that you are Safe Harbor certified then you must, of course, maintain an up-to-date Safe Harbor registration with the US Department of Commerce and comply with your Safe Harbor commitments 

    Key compliance takeaways

    In this instance, the FTC alleges that the businesses involved had claimed to be Safe Harbor certified when, in fact, they weren’t. The obvious message here is don’t claim to be Safe Harbor certified if you’re not!  

    The slightly more subtle compliance takeaway for businesses who are correctly Safe Harbor certified is that they should have in place processes to ensure:

    • that they keep their self-certifications up-to-date by filing timely annual re-certifications;
    • that their privacy policies accurately reflect the status of their self-certification – and if their certifications lapse, that there are processes to adjust those policies accordingly; and
    • that the business is fully meeting all of its Safe Harbor commitments in practice – there must be actual compliance, not just paper compliance.

    The “Bigger Picture” for European data exports

    Despite this decisive action by the FTC, European concerns about the integrity of Safe Harbor are likely to persist.  If anything, this latest action may serve only to reinforce concerns that some US businesses are either falsely claiming to be Safe Harbor certified when they are not or are not fully living up to their Safe Harbor commitments. 

    The service provider community, and especially cloud businesses, will likely feel this pressure most acutely.  Many customers already perceive Safe Harbor to be “unsafe” for data exports and are insisting that their service providers adopt other EU data export compliance solutions.  So what other solutions are available?

    While model contract have the benefit of being a ‘tried and tested’ solution, the suite of contracts required for global data exports is simply unpalatable to many businesses.  The better solution is, of course, Binding Corporate Rules (BCR) – a voluntary set of self-regulatory policies adopted by the businesses that satisfy EU data protection standards and which are submitted to, and authorised by, European DPAs.  Since 2012, service providers have been able to adopt processor BCR, and those that do find that this provides them with a greater degree of flexibility to manage their internal data processing arrangements while, at the same time, continuing to afford a high degree of protection for the data they process.       

    It’s unlikely that Safe Harbor will be suspended or disappear – far too many US businesses are dependent upon it for their EU/CH to US data flows.  However, the Safe Harbor regime will likely change in response to EU concerns and, over time, will come under increasing amounts of regulatory and customer pressure.  So better to consider alternative data export solutions now and start planning accordingly rather than find yourself caught short!