UK: Is "Safe Harbor" No Longer Safe? EU To Review Regime For Personal Data Transfers To The US

Summary and implications

In a dramatic announcement on 19 July, EU Commissioner Viviane Reding stated that the European Commission will be reviewing its Safe Harbor Agreement with the US. This review will be keenly awaited by many companies and other organisations who currently rely on the Safe Harbor Agreement to transfer personal data lawfully between the EU and the US.

Viviane Reding, who is the EU Commissioner responsible for data protection, stated that the recent PRISM controversy was a "wake-up call" which Europe would answer with "data protection reform". In that context, Reding said the "Safe Harbor agreement may not be so safe after all" as it could be used as a "loophole" for data transfers from the EU to the US despite "US data protection standards [being] lower than our European ones". As a result, she stated that she will be working on "a solid assessment of the Safe Harbor Agreement" and will present this "before the end of the year".

What is the Safe Harbor Agreement?

The US/EU Safe Harbor framework (often known as the Safe Harbor Agreement) was developed in 2000 following the US Department of Commerce's consultation with the European Commission. It enables US companies that self-certify that they comply with the Safe Harbor framework to be deemed to provide "adequate protection" for personal data transferring from the EU to the US. As such, the Safe Harbor Agreement is of key importance for EU/US trade. Approximately 3,000 leading companies have self-certified, including Microsoft and Amazon.

What should you do?

Companies and other organisations that rely on the Safe Harbor Agreement – or use service providers (such as cloud service providers) that rely on the Safe Harbor Agreement − will wish to keep a close eye on this review.

If the Safe Harbor Agreement were to be suspended or even revoked by the EU, then personal data would no longer be able to be lawfully transferred from the EU to the US unless some other lawful method such as EU model contracts, individual consent or binding corporate rules were in place.

We believe that a more likely outcome is for the EU to seek to negotiate the Safe Harbor Agreement following the European Commission's review. This was always likely to happen anyway with the development of the draft EU General Data Protection Regulation that is intended to replace the current EU Data Protection Directive. However, we believe the criticism surrounding Safe Harbor will lead many companies and other organisations increasingly to consider binding corporate rules as the key legal compliance method to underpin their international personal data transfers.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.