On February 20, 2014, two of our Brussels-based attorneys specializing in European privacy and data security—Cédric Burton and Chris Kuner—presented a webcast titled “Update on EU Data Protection Law,” with a particular focus on the U.S.-EU Safe Harbor Framework (Safe Harbor).1 The following article summarizes the session and includes a few key takeaways.
Update on the Regulation
The webinar provided an update on the current status, gave an overview of the political background, and examined a few likely trends pertaining to the draft EU Data Protection Regulation (Regulation). Particular emphasis was placed on a few select items, such as the one-stop-shop regulator, pseudonymization, and profiling.
Timing for the adoption of the Regulation remains uncertain due to the Regulation’s complexity and the current political disagreements on key issues. Adoption is currently expected to take place in late 2014 or early 2015 at the earliest, with the Regulation entering into force two years after adoption (but timing may change). The Regulation will have an impact on almost all companies doing business in the EU. Companies targeting EU individuals should strategize now on how to comply with the core principles of the Regulation. Regardless of the final wording, the current core principles included in the Regulation will be reflected in the future EU framework, as the existing draft partly codifies existing practices and interpretations.
Political Background on Safe Harbor
The webinar also discussed the current political context in the EU around data transfers, with a focus on Safe Harbor. Safe Harbor recently has been under scrutiny in the EU following the revelations about law-enforcement access to private company data, and has been criticized at both the EU and national levels:
- At the EU level, the criticisms of Safe Harbor included statements about the lack of enforcement and false claims made by companies regarding their adherence to the Safe Harbor principles.2 Furthermore, the EU Parliament called for the suspension of Safe Harbor, and a vote on a relevant resolution is expected in March 2014.3 In parallel, the Council of the EU created and co-chaired with the European Commission an ad hoc EU-U.S Working Group on Data Protection to examine transatlantic data flows.
- At the national level, some regulators (e.g., German data protection authorities) have made strong statements calling for the suspension of Safe Harbor.4 In addition, there has been some interest in data localization requirements (mandating that data be stored locally) in some Member States.5
It is, however, important to keep in mind that only the European Commission has the legal powers to take action (e.g., suspend, freeze, and amend) regarding the U.S.-EU Safe Harbor Framework. Any skepticism from national regulators and the EU Parliament is primarily intended to send a political message, since their statements and resolutions are not legally binding on the European Commission. However, their statements have created bad publicity for Safe Harbor-certified companies and thus have put pressure on EU companies to conduct diligence of the Safe Harbor compliance programs of the U.S. companies with which they do business, or in some cases to even refuse to do business with companies that only rely on Safe Harbor for their data transfers to the United States.
Against this background and following several meetings, the European Commission issued a set of documents aimed at “rebuilding trust in EU-U.S. data flows,” including a report on Safe Harbor.6 This report acknowledges that Safe Harbor is a valid solution for data transfers7 and includes 13 recommendations on Safe Harbor, some of which are addressed to companies (how best to comply) and others to regulators (how best to enforce). More developments with respect to Safe Harbor are expected in the following months, as the European Commission has committed to work with its U.S. counterparts to reinforce Safe Harbor by the summer of 2014.8
The European Commission has shown political will to defend and improve Safe Harbor. Safe Harbor is still a valid mechanism for transferring personal data from the EU to the U.S. and the likelihood of seeing this agreement repealed is low, although some changes may come in the future. However, increased scrutiny from U.S. and EU regulators is expected and companies that are Safe Harbor-certified or are planning to become certified should make sure they comply with the Safe Harbor principles.
Five Key Takeaways About Safe Harbor
- Under the existing law, Safe Harbor is a valid legal mechanism for EU-U.S. data transfers and will likely stay.
- A few improvements to Safe Harbor are expected to become effective in the second half of 2014 or later.
- Enforcement of Safe Harbor in the U.S. is increasing. As also reported in this newsletter, the FTC reached settlements with 13 companies earlier this year for falsely claiming compliance with Safe Harbor.
- If your business is being pressured by your EU customers about Safe Harbor, be ready to explain that you take compliance with EU privacy laws seriously and be prepared to demonstrate how your company complies with the Safe Harbor principles.
- Review the European Commission’s recommendations for Safe Harbor-certified companies and decide how best to implement them. Being proactive will help increase trust in your organization.
For more information on this topic, please contact any of the attorneys on our Brussels-based EU privacy and data security team.
A recording of our webcast is located at http://peach.wsgr.com/store/seminar/seminar.php?seminar=25407. The webcast slides may be viewed at http://www.wsgr.com/eudataregulation/pdf/webcast-0214.pdf.
1 The slides from the webcast are available at http://www.wsgr.com/eudataregulation/pdf/webcast-0214.pdf.
2 “Data protection: Claude Moraes calls for suspension of EU-US ‘safe companies list,’” S&D press release (October 8, 2013), available at http://www.socialistsanddemocrats.eu/newsroom/data-protection-claude-moraes-calls-suspension-eu-us-safe-companies-list, or watch a recording of the hearings, available at http://www.europarl.europa.eu/ep-live/en/committees/video?event=20131007-1900-COMMITTEE-LIBE.
3 “NSA snooping: MEPs table proposals to protect EU citizens’ privacy,” European Parliament LIBE Committee press release (Feb. 12, 2014), available at http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//NONSGML+IM-PRESS+20140210IPR35501+0+DOC+PDF+V0//EN&language=EN.
4 See resolution of German regulators (July 24, 2013), available at http://www.bfdi.bund.de/EN/Home/homepage_Kurzmeldungen/PMDSK_SafeHarbor.html?nn=408870.
5 A. Smale, “Merkel Backs Plan to Keep European Data in Europe,” The New York Times (February 16, 2014), available at http://www.nytimes.com/2014/02/17/world/europe/merkel-backs-plan-to-keep-european-data-in-europe.html?_r=0.
6 “EC Communication on the functioning of the Safe Harbor from the perspective of EU citizens and companies established in the EU,” available at http://ec.europa.eu/justice/data-protection/files/com_2013_847_en.pdf.
7 “Restoring Trust in EU-U.S. data flows – Frequently Asked Questions,” EC press release (November 27, 2013), available at http://europa.eu/rapid/press-release_MEMO-13-1059_en.htm.
8 Joint Press Statement following the EU-US-Justice and Home Affairs Ministerial Meeting (November 18, 2013), available at http://europa.eu/rapid/press-release_MEMO-13-1010_en.htm.