News Archives

Saturday, October 31, 2015

Safe Harbor: Open for Business or the Walking Dead?

Leaving the Safe Harbor website open and accessible, the US Department of Commerce has pledged to “continue to administer the Safe Harbor program, including processing submissions for self-certification” (see my October 12 post).  Brian Hengesbaugh, a former DOC attorney who helped negotiate the Safe Harbor framework, defends this decision, stating that the program remains “fully functional and operational,” since the Schrems judgment did not “repeal or otherwise dismantle” it.

How does this claim that Safe Harbor is still “fully functional and operational” in today’s post-Schrems world, stand up to scrutiny?  No one will dispute the DOC’s statement, made on the Safe Harbor home page, that the framework was developed in order to bridge differences in approaches to the protection of privacy between the US and the European Union and provide a streamlined and cost-effective means for U.S. organizations to comply with the Directive.  

However, how many of the following statements, found on the U.S.-EU Safe Harbor Overview page, are true today?

  • “The U.S.-EU Safe Harbor Framework….is an important way for U.S. organizations to avoid experiencing interruptions in their business dealings with the EU or facing prosecution by EU member state authorities…”
  • “Self-certifying to the U.S.-EU Safe Harbor Framework will ensure that EU organizations know that your organization provides "adequate" privacy protection, as defined by the Directive.”
  • “Benefits for participating U.S. organizations include:

  • o   All 28 Member States of the European Union will be bound by the European Commission’s finding of “adequacy”;
    o   Participating organizations will be deemed to provide “adequate” privacy protection;
    o   Member State requirements for prior approval of data transfers either will be waived or approval will be automatically granted….and
    o   Compliance requirements are streamlined and cost-effective…”

    The answer is clear: although once true, all of these statements are false today, even though the DOC has declined to withdraw or modify them and they continue as the US government’s official definition and description of the program and its benefits.  If a program utterly fails to meet its main objectives, the raison d’etre for its existence, in what sense can it be said to be “fully functional and operational”?  Becky Richards and her colleagues at the DOC may continue going through the motions of reviewing and disposing of new self-certifications they receive, but pretending that this program, as we knew it, continues to be operational is a pure charade.

    At the same time, it would be a mistake to write off the DOC’s posture vis-à-vis Safe Harbor as merely delusional, because it is a charade with indefensible and harmful consequences.  Chief among these deleterious consequences are the following:

    1. Violating the privacy rights of data subjects by failing to provide adequate notice relating to safeguards for their data.  While data controllers bear the primary responsibility for providing notice to data subjects, the DOC has responsibility here as well as the developer of a program to protect the privacy of Europeans when their data is transferred to the US.  Millions of European consumers and employees have been informed, via privacy notices, policies and other means, that their personal data will be protected in the US under a framework approved by the European Commission.  Such data subjects, going to the DOC Safe Harbor website today, however, will at the most find on the home page a one-sentence, legalistic reference to the ruling of the CJEU and, in the News and Events section, statements of regret from the Secretary of Commerce and support for updating the Safe Harbor framework.  Meanwhile, 99% of the total text on the website remains unchanged and anyone clicking directly from a privacy policy or notice to an organizational listing will find no reference whatsoever to the CJEU ruling.  By stating that Safe Harbor will remain open for business and failing to state that data transfers can no longer be based upon Safe Harbor, the DOC is misleading data subjects.  This is an ironic, but also sad, development for a government that once contended that a robust notice-and-choice regime was superior to the comprehensive data protection approach of Europe.

    2. Complicity in ongoing violations of European data transfer requirements. Based upon available evidence, the DOC has failed to inform Safe Harbor organizations that the framework can no longer be used as a legal basis for data transfers.  Indeed, by stating that it will continue to administer the program and process self-certifications, the DOC is complicit with companies that either consciously choose to ignore European data transfer requirements or can plausibly claim that the DOC’s posture led them to believe that a de facto grace period permitted a business-as-usual response.  Where is the guidance to Safe Harbor companies on the legality of ongoing data transfers dependent upon the framework?  What responsible bridge development authority would tell drivers that although some court has found the center span of the bridge has fallen into the water, the bridge remains open and drivers may continue to pay their tolls and use it?

    3. Exposing many Safe Harbor organizations to DPA orders.  It is often overlooked that many organizations that joined Safe Harbor made a commitment to cooperate with, and abide by the advice of, DPAs, even including the open-ended possibility of being compelled to pay compensation to data subjects.  Such cooperation was mandatory if Safe Harbor covered transfers of HR data and voluntary with respect to other types of data.  By maintaining that Safe Harbor is an ongoing, operational program, the DOC has needlessly extended the otherwise expired authority of DPAs to order the deletion of data transferred under the framework, the payment of compensation to data subjects and whatever other measures are deemed appropriate.  Violation of such orders, which Safe Harbor requires be interpreted by European rather than US law, would be actionable by the FTC.  By contrast, had the DOC suspended the Safe Harbor program, these organizations could have treated the orders as having no authority and could continue to hold and use previously transferred data, avoiding FTC enforcement as long as they continue to apply the Safe Harbor Privacy Principles to their handling of the data.

    4.  Diminishing the chances of successfully achieving Safe Harbor 2.0.  Safe Harbor was built upon bi-lateral trust between the US and the EU, a trust gravely imperiled by Snowden’s revelations of NSA mass surveillance.  Trust is not restored by misleading European data subjects or by treating compliance by US companies with European data privacy requirements as a European problem. Trust is further eroded by downplaying the significance of a landmark ruling by Europe’s highest court and effectively saying “Here’s what we think of your court ruling:  we will carry on as usual.”  With dozens of independent European DPAs replacing the bureaucratic European Commission in the driver’s seat, such displays of unilateralism, which could easily be taken as arrogance, are profoundly misguided.  One would hope that the policy makers at the DOC, intent on building a new bridge with the EU, would pay attention to the message being sent to Europe by the Safe Harbor website.  

    Monday, October 19, 2015

    What the Art 29 WP Guidance Doesn’t Say

    On October 16, 2015, the Article 29 Working Party issued a highly-anticipated statement on the implementation of the CJEU Maximilian Schrems v Data Protection Commissioner case. From the perspective of companies that relied upon Safe Harbor as their sole legal basis for importing personal data from Europe, and currently lack and are unable to quickly utilize an alternate mechanism, the statement is as notable for questions not addressed as for those that were taken on.  

    Here are five questions that the Article 20 Working Party statement doesn’t address for these companies.

    With respect to data transferred before October 6, 2015:
    1. Can the data continue to be held, as opposed to being immediately deleted?
    2. If yes, can it continue to be used for the legitimate purposes for which it was collected and transferred?
    3. If yes again, can it be updated via a new transfer, even in the absence of an alternate mechanism, if it is in the data subject’s interest to do so?
    In general:
    4. Should there be a grace period, during which new data transfers under Safe Harbor may occur while a company transitions to implementation of an alternate mechanism?
    5. Should references to Safe Harbor in privacy policies, notices and websites be amended immediately?

    What is to be made of the fact that the Working Party is silent on these topics?  It may be that the magnitude of the sudden shift in the EU DP acquis caused by the Schrems ruling renders any attempt to formulate answers to these questions too complex and fraught with legal uncertainty.  What was lawful one day became unlawful the next, but only on one side of the Atlantic.  Furthermore, the focus is an unprecedented quasi-legal framework created out of thin air through political negotiation and agreement.  It may also be the case that taking into consideration the uncertainty the Working Party acknowledges as to the post-Schrems viability of alternate transfer mechanisms, that they believe it best to defer questions about how one unravels previously acceptable mechanisms to a later time when the bigger picture has been brought into focus.  Or the Working Party may have had intense discussions about these questions and concluded that they are best answered on a case-by-case basis by individual DPAs.   The need to produce a statement that reflects a consensus or common position of all the DPAs may have played a determinative role as well.

    Whatever the factors underlying the limited focus of the Working Party’s October 16 statement, it remains striking that a document professing to discuss the implementation of a judicial ruling invalidating the Safe Harbor framework has so little practical guidance to provide to thousands of Safe Harbor companies about their current data processing activities.

    My own thoughts on these questions are that one has to begin by distinguishing between legal obligations that apply to European companies and those that apply to US companies.  Since Safe Harbor was designed to bridge the gap that exists, it is not surprising that its demise yields quite divergent answers depending upon the jurisdiction a company is located in. 

    At the same time, this division of applicable law by jurisdiction does not apply to Safe Harbor companies with respect to transfers of human resources data.  According to the sixth paragraph of the Safe Harbor Privacy Principles “U.S. law will apply to questions of interpretation and compliance with the Safe Harbor Principles….except where organizations have committed to cooperate with European Data Protection Authorities.”  Making such a commitment is mandatory under Safe Harbor when it comes to HR data.  Consequently, what follows holds only for non-HR data, or for HR data in situations in which the DPAs have not intervened.

    Here is my analysis:

    With respect to data transferred before October 6, 2015:
    1. Under European DP law, a good case can be made that the data must be deleted immediately, along the lines that even storage of data is a form of data processing under the Directive and that no legal ground exists post-Schrems to engage in such processing.  At the same time, a counter argument could be made that the CJEU Schrems ruling only applies to transfers going forward and doesn’t address the past or current legitimacy of data processing activities that were lawful when initiated.  In addition, immediate deletion could have serious unintended consequences for data subjects, such as for those who have paid for products to be delivered or for surgery to be performed remotely by companies reliant upon Safe Harbor.  

    Under US law, the situation is less ambiguous.  A company should be able to retain pre-Schrems data.  While companies are explicitly required by FAQ 6 to delete transferred data if they leave the Safe Harbor program, there is nothing in the text of the Safe Harbor documents that addresses whether transferred data can or cannot continue to be held if the program itself ceases to exist.  The FTC would have grounds to take enforcement action against a company that fails to continue to apply the Safe Harbor privacy principles and FAQs to the transferred data.  However, I see no basis under which the FTC could take action against a company solely for failing to delete Safe Harbor data in light of the CJEU ruling.

    2. Under European law, the answer to the questions as to whether data transferred before October 6, 2015 can continue to be used for the legitimate purposes for which it was collected and transferred would likely follow the answer to the previous question about storage.  It should be noted that the CJEU did not find that Safe Harbor companies were using transferred data in illegitimate ways, rather that the US government was doing so, by virtue of its indiscriminate mass surveillance with no access and correction rights or recourse for data subjects.  It would not be surprising if some DPAs would be amenable to allowing the continued use of pre-Schrems data, at least in some cases and for some periods of time.

    Under US law, a Safe Harbor company should be able to use pre-Schrems data as long as it continues to apply the Safe Harbor Privacy Principles and FAQs to its handling of the data.

    3.  Under European law, the CJEU ruling makes crystal clear that new data transfers cannot be made lawfully on the basis of Safe Harbor participation, whether on an interim or a long-term basis.  At the same time, if the grounds for allowing pre-Schrems data to continue to be used described above are persuasive, would they not remain so if a new data transfer was only an update of data previously supplied, such as a change in shipping address or a request for data subject access? One begins to sense a slippery slope with this line of argument, yet some DPAs might weight the interests of data subjects and decide to look the other way and focus on more consequential matters.

    US law, on the other hand, contains no prohibitions against receipt of data from Europe without the protections required by European law. While a European company is now legally prohibited from exporting personal data on the basis of Safe Harbor, no such strictures apply on the receiving side. 

    In general:
    4. Given the unequivocal rejection of Safe Harbor as a basis for new data transfers by the CJEU, it was probably a pipe dream to imagine that the Working Party could find a way to allow for a grace period that would allow Safe Harbor data exporters and importers to continue business as usual until an alternate transfer mechanism was developed and in place.  The best that can now be hoped in this regard is that individual DPAs will allow an unspoken de facto grace period to come into existence.

    On the US side, the fact that the US Department of  Commerce has adopted the position that Safe Harbor remains open for business (see and my blog), however, bizarre and indefensible that may be, would appear to encourage new data transfers from European companies willing to overlook the legalities involved or from European consumers who may be unaware of the CJEU ruling or its significance.

    5. By anyone’s standards, be they European or American, it would be both unethical and a violation of law to not amend policies, notices or websites that reference Safe Harbor and thereby fail to inform European data subjects that the program said to ensure protection for their US-bound data has been ruled invalid and ineffective by Europe’s top court. The adequacy of notice provided to data subjects is fundamental both in European DP law and in the more narrow Notice-and-Choice approach to privacy protection found in the US and in the Safe Harbor Privacy Principles.  Furthermore, given the indispensability of transparency, such amendments should also address, at a minimum, what is being done with previously transferred data, what the company is doing about new transfers and what options the data subject has in this new regulatory environment.

    So there you have it.  We have received regulatory guidance that either ducks the difficult responsibility of explaining how to apply the Schrems ruling to the real world or farms that responsibility out to dozens of DPAs to sort out on their own on a case-by-case basis. 

    Hang on to your seat belts.  We live in interesting times.

    Monday, October 12, 2015

    Safe Harbor Open for Business, Says US Govt

    The US Department of Commerce has added the following statement to the landing page of its Safe Harbor website:

    * * * *

    On October 6, 2015, the European Court of Justice issued a judgment declaring as “invalid” the European Commission’s Decision 2000/520/EC of 26 July 2000 “on the adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the US Department of Commerce.”

    In the current rapidly changing environment, the Department of Commerce will continue to administer the Safe Harbor program, including processing submissions for self-certification to the Safe Harbor Framework. If you have questions, please contact the European Commission, the appropriate European national data protection authority, or legal counsel.

    * * * *

    This is an incredibly obtuse and indefensible statement under the circumstances that exist. By indicating that the DOC will continue processing submissions for self-certification, while cloaking its description of the CJEU ruling in a legalistic reference, the department is encouraging consumers and companies to believe that Safe Harbor still provides the protections and assurances that are legally required. This is arguably an "unfair and deceptive" practice that should warrant FTC review and intervention.

    It does make sense to leave the Safe Harbor website accessible, since links to it are contained in thousands of privacy policies and it contains useful information about companies and their handling of personal data. However, the site should be far more honest and informative about the current situation. Yes, it is difficult to precisely define what the current status of Safe Harbor is, but to say that administration and self-certification will continue as usual is simply preposterous. "Under your laws, the framework we agreed upon is dead; under my laws, it lives on." Oh, please!

    Thursday, October 8, 2015

    No Shortage of Safe Harbor Questions

    The Safe Harbor framework no longer exists as a viable legal basis for transferring personal data from Europe to the US, that much is clear.  However, as of this morning the US Department of Commerce Safe Harbor website and list of participating companies remains accessible, as though nothing has changed.  Dual versions of reality, like a painting of an impossible landscape by Rene Magritte?

    In any event, for companies that had been participants, the CJEU ruling has raised a number of questions: 

    1. What can, or should, be done with transferred data received prior to the ruling?  Can it continue to be held and processed, or must it be deleted?

    2. If such previously-received data can continue to be held and processed, under what conditions may this occur?  Would a publicly-stated commitment to continue to apply the former Safe Harbor Privacy Principles and FAQs to the handling of the data suffice?  Or a similar commitment to seek data subject consent, or to develop either a model contract or Binding Corporate Rules?

    3. Do any of the legal obligations on participants created by virtue of Safe Harbor participation survive the demise of the framework?

    4. Can new personal data be lawfully received in the absence of an executed model contract or approved BCRs?  Could, or should, previous Safe Harbor participation allow for a grace period for transition to another transfer mechanism?

    5. Should every current published privacy policy or notice referencing Safe Harbor be amended?  What should the amendment say?

    6. If a privacy policy indicating reliance upon Safe Harbor contained a pledge to contact data subjects in the event of a material change in the policy, has the ruling triggered the need for such communications?

    7. Must the Safe Harbor privacy seal be removed wherever it is displayed?

    8. Does the US-Swiss Safe Harbor Framework remain in place as a valid basis for transfers of personal data from Switzerland to the US?  

    9.  What significance, if any, do the commitments from both the Department of Commerce and the European Commission to create what is being called Safe Harbor 2.0 have, given the two years this has been under discussion and the enormity of the gap remaining?

    Both the European Commission and the Article 29 Working Party have announced that they are working on an expedited basis to develop guidance that may provide answers to some of these questions.  This in turn gives rise to a final question:  

    10.  What risk or liability do participating companies face should they defer changing their data handling policies or practices until regulatory guidance is in hand?

    Tuesday, October 6, 2015

    CJEU Delivers Colossal Blow to Mass Surveillance

    On October 6, the Court of Justice of the European Union declared invalid the decision reached by the European Commission in 2000 that found the Safe Harbor framework to provide an adequate legal basis for transferring personal data from Europe to the US. Agreeing with the reasoning of its Advocate General, the Court further instructed the Irish Data Protection Commissioner to take up the complaint against Facebook lodged by Maximillian Schrems and to determine whether the company's transfer of his data to the US should be suspended.

    The CJEU ruling, clearly the most significant development in international data privacy in the past 15 years, raises a host of questions for thousands of companies that relied upon Safe Harbor to legitimize their data transfers. Actors in this unfolding high drama include the Irish DPA, the Irish High Court, the European Commission, DPAs in other member states, the Article 29 Working Party, the European Data Protection Supervisor, the US Department of Commerce, the companies and of course the individuals whose personal data has been, and is being, transferred to the US. How each will respond will only be evident in the coming days and weeks.

    Much of the early coverage in the mass market media, both in the US and in the Europe, focuses on the impact of the decision upon companies and what these companies must do to satisfy European requirements. While certainly a valid and pressing area of concern, indeed one that HR Privacy Solutions advises and assists clients with, the bigger headline is, I would argue, the one found above. At a time when judicial and legislative efforts within the US to reign in mass surveillance have advanced only in small increments, Europe's top court has unequivocally said that mass surveillance is incompatible with the right to privacy and must stop. A clarion call has been issued that is likely to be heard around the world.