The deadline for the U.S. and European Union (EU) to come to an agreement on the future of Safe Harbor, which governs transatlantic data transfers, passed on January 31.
Although it is difficult to speculate what a revised agreement would look like, it potentially would no longer permit self-certification and may require some type of third-party attestation. Key items in question include the EU’s concern regarding limitations and safeguards surrounding access to data by the National Security Agency and other law enforcement as well as sufficient channels for redress.
Although negotiations continue and there may still be time for an updated agreement, this outcome seems unlikely at this point in time.
This impacts U.S.-based companies that are serving EU-based businesses and consumers, including multinational companies that send information on EU employees back to their US division. If you provide technical solutions within the EU and some of the support is based in the US, your company may also be impacted, depending on what service or support is being provided from the U.S.
Although it is disappointing that no agreement was reached, there are other possible alternatives. Two methods remain available for supporting data transfers outside of the EU: Binding Corporate Rules (BCRs) and Model Clauses.
BCRs are usually for large multinational corporations and can take upwards of a year to get approved. In addition, some of the countries have suspended their review and approvals of BCRs.
Model Clauses are certain standard contractual clauses approved by the Commission that offer sufficient safeguards as required by “Article 26 (2), that is, they provide adequate safeguards with respect to the protection of the privacy and fundamental rights and freedoms of individuals and as regards the exercise of the corresponding rights.”
While we wait for additional guidance to be issued by the European Commission, my advice is to focus on Model Clauses and ensure your privacy policy is up to date and accurately reflects what information you are collecting, including where that information is processed, transmitted and stored.