The US Safe Harbor – breached but perhaps not destroyed!

By David Smith, Deputy Commissioner and Director of Data Protection.

Not surprisingly there’s been huge interest in the impact of the judgment of the Court of Justice of the European Union (CJEU) regarding the US Safe Harbor scheme.

For those not in the know, the formal Decision of the European Commission recognising Safe Harbor gave businesses an assurance that if they transferred personal data to members in the US, they would satisfy the legal requirement for personal data transferred outside the EU to be adequately protected. That assurance has now been removed.

It’s a complicated area. The judgment did not strike down Safe Harbor itself, but focused on the Commission Decision that had given the assurance to businesses. That means there is still a measure of protection for personal data transferred under the scheme – the privacy principles that members sign up to are still positive, for instance. But the assurance that meant Safe Harbor was automatically considered to provide the adequate protection required under the 8th data protection principle is no longer there.

The reason the Court made that decision was because of the ability of the US intelligence services to gain access to transferred personal data. It took the view that the intelligence service had access beyond what it considered strictly necessary and proportionate for the protection of national security. Coupled to this is a lack of any right for non-US persons to seek legal remedies in the US for misuse of their data.

The Court’s decision also ruled on the principle that data protection authorities are not prevented from considering complaints from individuals that their data has not been properly protected, even where there is an existing Commission Decision on the issue.

This latter point is not confined to Safe Harbor. Our approach to considering complaints won’t change overnight, but it’s inevitable that some of the legal certainty that Commission findings of adequacy have provided for businesses in the past may no longer be available, for instance in relation to the adequacy of particular countries and standard contractual clauses.

The existing Commission Decisions on the adequacy of particular countries and on standard contractual clauses do still stand, and can be relied on by businesses, certainly for the time being. But the terms of the judgment inevitably cast some doubt on the future of these other mechanisms, given that data transferred under them is also liable to be accessed by intelligence services whether in the US or elsewhere. The impact on these other mechanisms and on transfers to destinations other than the US is far from clear and will be analysed, over the coming months, by the Article 29 Working Party of European data protection authorities amongst others.

We took part in a special meeting of the Working Party on 15 October which led to the publication of a statement. The meeting was a constructive one, with the substance of the statement being measured, albeit expressed strongly. The statement recognises the importance of the data protection authorities working together but makes clear that solutions do not lie in our hands alone.

Political, legal and technical solutions are required and they rely on both member states (including the UK), and the EU institutions opening discussions with the US authorities.

Here in the UK, the Government is aware of the issue, and last week I took part in an industry round table hosted by the Minister with data protection responsibility, Baroness Neville-Rolfe.

The focus for much of the conversation was, ‘Where does this leave businesses that are using the Safe Harbor?’ We’d sum up our advice in three key points:

Don’t panic

Our initial message is still valid. Don’t panic and don’t rush to other transfer mechanisms that may turn out to be less than ideal. The impact of the judgment on standard contractual clauses and binding corporate rules is still being analysed. Of course transfers can always be made on the basis of an individual’s consent but this doesn’t necessarily protect personal data any more effectively than the Safe Harbor which is, after all, what the CJEU case is all about. Indeed, individuals may be easily induced to give their consent to the transfer of their data to destinations where there is little or no protection when the Safe Harbor does at least provide them with some genuine protection even if such protection is imperfect.

Take stock

The first thing for businesses to do is take stock. Ask yourself what personal data you are transferring outside the EU, where is it going to, and what arrangements have you made to ensure that it is adequately protected. For some this will be no easy task. Then look at whether these arrangements are the most appropriate ones taking into account the ICO’s guidance on international transfers. If they include the Safe Harbor, what alternative mechanisms might you use if there’s no progress on a new Safe Harbor? But don’t rush to change, especially with the possibility that a new, improved and perhaps rebranded Safe Harbor will emerge.

Make your own mind up

It’s also worth bearing in mind that businesses in the UK don’t have to rely on Commission decisions on adequacy. Although you won’t get the same degree of legal certainty, UK law allows you to rely on your own adequacy assessment. Our guidance tells you how to go about doing this.  Much depend here on the nature of the data that you are transferring and who you are transferring it to but the big question is can you reduce the risks to the personal data, or rather the individuals whose personal data it is, to a level where the data are adequately protected after transfer? The Safe Harbor can still play a role here.

What else is the ICO doing to help? Before answering this, it might be better to talk about what we’re not doing. We’re certainly not rushing to use our enforcement powers. There’s no new and immediate threat to individuals’ personal data that’s suddenly arisen that we need to act quickly to prevent. Of course we’ll consider complaints from affected individuals, whatever transfer mechanism you’re relying on, but we’ll be sticking to our published enforcement criteria and not taking hurried action whilst there’s so much uncertainty around and solutions are still possible. We can’t create legal certainty where there is none but we will continue to work with our European counterparts in an effort to ensure that, as far as possible, we’re all delivering a single and sensible message. Ultimately, for the ICO it has to be a message that is consistent with UK law, with our powers and with the public commitments we have made about when and how we will use those powers.

In time we’ll update our guidance on international transfers but for the most part it’s still valid. We’ll also be building on this blog by publishing some practical advice for businesses, including SMEs who may rely on cloud and similar services provided by others, on what they should and should not be doing in the current period of uncertainty.

The next few months will be critical. We very much hope that what many are calling Safe Harbor 2.0 will emerge and provide a strong and effective framework for protecting individuals when their personal data are transferred from the EU to the US. We’ll be using what influence we have to push for such an outcome but businesses need to play their part too. In reality the business community and particularly multi-nationals are likely to wield more influence over the actions of member states, the European Commission and the US authorities than either the ICO alone or the Article 29 Working Party ever will.

David SmithAs well as providing Data Protection leadership across the ICO, David Smith has direct responsibility for oversight of its Strategic Liaison Division which develops and manages the ICO’s relations with its key stakeholders.
This entry was posted in David Smith and tagged , , , , , . Bookmark the permalink.

Leave a Reply