Safe Harbor - A discussion from the DMA Email Council

If it’s escaped your notice that there has been a change to Safe Harbor recently, just pause for a minute to jump into your preferred search engine have a look for “Safe Harbor ruling” and come back once you’ve had a quick read!

Okay, great.

At the last meeting of the DMA Email Council we began what was intended to be a debate as to whether the Safe Harbor ruling was good or bad for business, marketers or anyone else. Instead of a debate what resulted was a broad and interesting discussion between brands, consultants, service providers and compliance professionals on what was fact, opinion, benefit and problem.

I’ve summarised and structured that discussion for you here.

Brand Concerns

Concerns voiced by brands are easily explained with these four quotes:

“Baffled”

“Not sure what it means”

“In limbo”

“Don’t want to start doing anything and waste time by doing the wrong thing”

Does this impact you?

Yes, if you:

- Collect, store or use data which includes information relating to EU-based individuals

AND you

- send that data to the US for storage or processing, or;

- use that data with any US-based marketing or analytics service provider, or;

- use any US-based company for anything which may result in them having access to that data

What you need to understand

The “Safe Harbor Privacy Principles” is a scheme enforced by the U.S. which allows U.S. firms to certify that they adhere to EU data protection standards. In 2000 the European Commission recognised Safe Harbor as an adequate way for EU-based firms to use U.S. service providers for data storage and processing.

In the US a firm can be issued with a National Security letter telling them to hand over all their data. Those firms have no recourse, they can’t say “no” and can’t tell you that they’ve been issued with a demand and can’t tell you that they’ve handed over your data.

A result of this mass surveillance is that the Court of Justice of the European Union (CJEU), the highest court in the EU, has now ruled that Safe Harbor isn’t an adequate means of ensuring data protection.

An alternative or a rework of Safe Harbor, dubbed Safe Harbor 2.0, is currently being negotiated.

These negotiations have a current deadline of 31st January 2016.

With Safe Harbor in limbo EU organisations relying on U.S. based software and services still need to protect their data. The following recommendations have been made:

1) Review the data you collect, store and use.
2) Identify the software and service providers you use to may have access to your data
3) Perform due diligence on these service providers, which should include an information security audit, asking them to detail their processes and data protection methods
4) Identify which of these service providers are based outside the EU
5) Look at ways to reduce the information which any service provider has access to
6) Minimise the information provided to non-EU service providers
7) Look for alternatives to transferring data or providing access to that data
8) Confirm what you tell your customers about who you give access to their data

If after this process you identify that give non-EU service providers access to the personal information of EU citizens without their knowledge then you need to legitimise this.

Legitimising Cross Border Data Transfer Without Safe Harbor

The ICO has already issued a “Don’t Panic” notice and it’s understandable, given the legal uncertainty and lack of clear guidance, if firms don’t want to take action now which may be undone by the outcome of the Safe Harbor 2.0 negotiations. However if you are giving non-EU organisations access to the personal information, without the right contracts and controls in place this may be illegal. And even though there may be no formal prohibition upon such transfers at present, these may subsequently be held to have been in breach of subjects’ fundamental rights to data protection.

Such a finding might mean a claim for damages may be made against you.

As such, as well minimising your unnecessary data access and auditing your service providers, it’s recommended that in this interim period you obtain consent from your customers or look at Model Clauses to legitimise your data transfers.

Questions and Answers

What is the risk of doing nothing?

You may be transferring data with no legal backing. Even though there may be no enforcement until January, these data transfers may subsequently be held to be in breach of subjects’ fundamental rights to data protection. Such a finding might mean a claim for damages may be made against you.

What should you do now?

Understand that there will be change. Regulators are telling us not to panic and not to react without thinking. So, Show progress. Investigate and Plan. Specifically, look at your own data collection and storage, your international data transfers or access, your third-party software and service providers and what information they may access. Make sure you are in a position to proceed quickly (your own data and process review; minimise risks; perform information security audit of all non-EU and especially US-based companies who either process, store or have access to your data. In this interim period consider making use of Model Contracts as the foundation for this. You are making the decision about who to work with, who to give access to your data, exactly what access they have and what they do with it. So whatever happens you should take responsibility for this.

Do the current alternatives to Safe Harbor work?

When a US-based company was accredited to the old Safe Harbor standards that company may have been compelled to hand over your data to the US government, which is why the Safe Harbor agreement was ruled inadequate.

The two main alternatives are Binding Corporate Rules (BCRs), Standard Model Clauses. These alternatives also don’t prevent companies from disclosing your data to US government agencies.

As such, in the long term, companies allowing data to be transferred to the United States should consider alternatives to that processing, not just sign an alternative and equally-inadequate agreement.

(https://iapp.org/news/a/safe-harbor-fallout-commission-council-debate-parliament-german-dpa-takes-next-step/)

Should you remove Safe Harbor from your privacy notices?

In the EU, participation in Safe Harbor has not been ruled illegal—it is instead no longer considered an "adequate" method of transferring data to U.S. Neither has Safe Harbor been abolished. So provided that companies take other steps to ensure transfer adequacy, retaining general references to Safe Harbor will not of itself incur sanctions. Indeed, one could argue that complying with the Safe Harbor principles remains a positive step for U.S. companies to take even if it doesn't provide immediate transfer compliance. What would be particularly risky would be claiming to adhere to the Safe Harbor principles when your company does not, whilst also failing to put in place other measures to address European data transfer requirements. Both the FTC and EU regulatory authorities might bring enforcement action in these circumstances.

https://iapp.org/news/a/all-the-safe-harbor-answers-part-1/

Can you change or modify the model clauses to suit your needs?

“The possibility for the controller or processor to use standard data protection clauses adopted by the Commission or by a supervisory authority should neither prevent the possibility for controllers or processors to include the standard data protection clauses in a wider contract nor to add other clauses as long as they do not contradict, directly or indirectly, the standard contractual clauses adopted by the Commission or by a supervisory authority or prejudice the fundamental rights or freedoms of the data subjects.”

Or: using standard data protection clauses should not prevent the additional of additional clauses as long as they don’t impact the purpose of the original clauses and/or impact the rights of the data subjects

So, if there is anything which you are unhappy with you may be able to negotiate additional clauses to modify or minimise the risks, or to make liability less one-sided

http://ec.europa.eu/justice/data-protection/international-transfers/transfer/index_en.htm

Background Information – Condensed Timeline:

It’s not clear to many industry professionals how we got to this position, so let’s catch up with a timeline of events so far:

July 2000: European Commission recognises “Safe Harbor Privacy Principles”, issued by the U.S. Dept. of Commerce and enforced by the U.S. FTC, as providing “adequate” protection, allowing personal data transfers from the EU to the U.S.

September 2001: 9/11 attacks resulting in an expansion of mass surveillance by U.S. national security organisations

2006 – 2007: Foreign Intelligence Surveillance Act (FISA) enacted in 2006 and 2007, resulting in the creation of mass surveillance programmes, such as PRISM, allowing the NSA access to telephone call information and personal details from services like Gmail, Facebook, Outlook, and more.

June 2013: NSA mass surveillance practices disclosed by Edward Snowden (Example of court order forcing Verizon to and over telephone call data on an “ongoing daily basis” http://www.theguardian.com/world/interactive/2013/jun/06/verizon-telephone-data-court-order )

November 2013: European Commission publishes a series of recommendations to improve Safe Harbor with a deadline of Summer 2014 http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex:52014XX0416(01)

January 2014: EU Commission Vice President Viviane Reding: “Safe Harbour has to be strengthened or it will be suspended.” http://europa.eu/rapid/press-release_SPEECH-14-62_en.htm

February 2014: EU Parliament called for the "immediate suspension" of Safe Harbor http://www.europarl.europa.eu/sides/getDoc.do?type=REPORT&mode=XML&reference=A7-2014-0139&language=EN

August 2014: Complaints raised against 30 U.S. companies for violating Safe Harbor. http://www.centerfordigitaldemocracy.org/sites/default/files/Safe%20HarborComplaints081314.pdf

March 2015: The European Court of Justice begins to hear a case referred by the Irish High Court regarding US internet companies operating in Europe. The plaintiff, Max Schrems, argues that the United States does not provide the “adequate protection” and even claims that the NSA’s PRISM program and other forms of US surveillance are the exact antithesis of “adequate protection”.

6 October 2015: The Court of Justice of the European Union (CJEU) released the judgement in the Schrems case (C-362/14), finding that Safe Harbor is invalid and empowers national DPAs to investigate and suspend international data transfers http://curia.europa.eu/juris/document/document.jsf?text=&docid=169195&doclang=en

30 October 2015: Advice from UK ICO, simply, Don’t panic, take stock, and make up your own mind. https://iconewsblog.wordpress.com/2015/10/27/the-us-safe-harbor-breached-but-perhaps-not-destroyed/

November 6 2015: EU Commission Publishes guidance, including advice on how to use model clauses to legitimise EU-US data transfers while waiting for Safe Harbor 2.0 https://www.huntonprivacyblog.com/files/2015/11/eu-us_data_flows_communication_final.pdf

November 19 2015: CNIL guidance published, confirming that companies can temporarily rely on EU Model Clauses and that Beyond January 31 2016, if there is no Safe Harbor 2.0, European DPAs will look at enforcement powers to suspend data transfers to the U.S. http://www.cnil.fr/linstitution/actualite/article/article/safe-harbor-que-doivent-faire-les-entreprises/