US EU Personal Data Protection

Brussels is abuzz asking what happens now that Safe Harbor is dead. Safe Harbor was a process through which United States companies would comply with European Union policies on the protection of personal data. The U.S Department of Commerce and the European Commission collaborated to create and implement Safe Harbor. Safe Harbor was designed to prevent accidental information disclosure or loss. Companies would be allowed into the program as long as they followed a set of principles in regulating data security. The bigger question now is what this means for Europe's future digital strategy.

Suddenly, data protection and privacy are front-and-center in the debate on European policy. On October 6, 2015, the Court of Justice of the EU (CJEU) invalidated the Safe Harbor agreement between the EU and the U.S. that allowed American firms to transfer customer data. The European Parliament’s Civil liberties, justice and home affairs committee met last week. A number of the committee’s MEPs were indignant, frustrated with the European Commission for lacking the foresight and due diligence to foresee the potential for a negative CJEU decision.

Now that Safe Harbor has been knocked down, the ball is in the American court. MEPs, especially, are looking to see whether the US will truly create a legal framework where EU citizens’ data are protected in the way they are protected in the EU. Namely, will EU citizens have legal standing to hold the US government accountable should they feel their data has been inappropriately accessed? Some are optimistic about the Judicial Redress bill traveling through the US Congress. Others are less sanguine and find it unlikely that the NSA will ever be covered by such a law.

On October 16, 2015, the EU’s Article 29 Working Party (WP29) issued a statement on the consequences of the CJEU judgment invalidating the Commission’s Safe Harbor decision. WP29 is composed of representatives from each EU member state and is part of the data protection authority that gives expert advice on issues regarding data security.

In its statement, WP29 called upon EU member states and EU institutions to open discussions with US authorities in order to find political, legal and technical solutions enabling transfers to the US that respect EU citizens’ fundamental rights. According to WP29, an intergovernmental agreement providing stronger guarantees to EU data subjects and a new Safe Harbor could offer such solutions.

If no solution is found with US authorities by the end of January 2016, the data protection authorities may decide to take coordinated enforcement actions, depending on the outcome of WP29’s assessment of other data transfer mechanisms.

In any event, WP29 states that businesses can no longer rely on the EU-US Safe Harbor Act to transfer personal data from the EU to the US.

Stay tuned!

If you have questions about the fascinating issue of data security, contract Dan Caprio at dcaprio@providencegroupdc.com

Dan Caprio, Co-Founder, The Providence Group