The Future of ‘Safe Harbor’

January 21, 2016

Demise of Safe Harbor

Safe Harbor is, as we knew it, dead. In October, The European Court of Justice (ECJ) ruled that it was no longer valid, reversing the EU’s long-held position on the protection of privacy rights and personal data. In a decision made by the European Commission (EC), Safe Harbor had originally been established in 2000, pursuant to an existing EU Directive.

This affected 4,500 participating US companies. They had to satisfy EU requirements by complying with its principles and registering their certification, in order to be allowed to access and process data from EU citizens, and then to transfer it from the EU to the US. The effect of the ECJ ruling was to make data transfers under Safe Harbor illegal with immediate effect.

The question is, following its demise, and the added complication of the newly approved EU General Data Protection Regulation, will the vacuum left by Safe Harbor likely be filled by new regulations that are better equipped to deal both with 21st century data privacy concerns and the global commercial reality?

US developments

The US has certainly been quick to respond. Within a fortnight of the ECJ ruling, the US House of Representatives passed the Judicial Redress Act. This is designed to restore public confidence in transatlantic data flows by granting non-US citizens the same rights of redress in federal courts as those afforded to US citizens when their privacy is violated. The bill is now heading for the Senate, which has to decide whether to follow the lower house, or to water down the proposed terms of the Act.

Given the recent turmoil on Capitol Hill, exemplified by the resignation of John Boehner, who stepped down as Speaker at the end of October, there are significant doubts that the bill will make the cut. According to which follows the progress of bills, the prognosis is that it has only a 22% chance of being enacted. Facing odds like this, maybe we shouldn’t bet too heavily on cross-Atlantic privacy reform being realised any time soon.

Safe Harbor 2.0

However, for the Internet to function, the legal transfer of data across borders remains an essential prerequisite. As a replacement for its defunct predecessor, EU and US authorities have started to draw up a “Safe Harbor 2.0” . A grace period on enforcement of the ECJ ruling was put in place, as US and Europe Microsoft devised a temporary, pragmatic solution: establishing European-based servers to provide cloud-based services, thereby avoiding data transfer to US-based servers. A target date was set for the terms of a new plan to be agreed with a deadline of January 31 2016.

Progress has, nevertheless been beset by difficulties.

As pointed out by Vera Jourova, the European Commissioner for Justice, Consumers and Gender Equality (ECJCGE), while negotiations on Safe Harbor 2 continue, there will undoubtedly be added pressure. Moving from a self-regulatory approach to one that provides proactive enforcement and sanctions will be key to guaranteeing public confidence that personal data will be given adequate levels of protection. This pressure is illustrated by a recent letter sent by 20 EU and 14 US NGOs to Jourová, and to the US Secretary of Commerce, Penny Pritzker: it urges the politicians “to commit to a comprehensive modernization of privacy and data protection laws on both sides of the Atlantic.”

Impact on global surveillance

So will Safe Harbor 2.0 and the potential Judicial Redress Act change how governments monitor individuals? Although there have been positive noises emanating from the White House regarding the privacy rights of non-Americans, it is unlikely that any government would willingly allow itself to be prevented from accessing data, either of its own citizens or that of foreign nationals. In an uncertain world, data access is as imperative for national security as it is for e-commerce.

Global cross-border data transfer

Preventing cross-border data transfer would destroy much of e-commerce at a stroke, creating enormous damage to a broad spectrum of businesses across multiple sectors. Deadlines have been set by the Article 29 Data Protection Working Party of the EC, comprised of representatives from the national data protection authorities in EU member states, while all parties work towards having mechanisms for cross-border data transfer in place by the end of January. Common sense dictates that large tech companies will lobby to ensure that business can carry on as usual. Equally compelling is economic pragmatism: if the banks were too big to fail, the authorities would also never allow the world’s data economy to fail.

Japan’s privacy law

The Japanese approach to the problem may be worth considering. Updates to Japan’s privacy law have seen progressive steps being taken, not just in limiting legislation as to what cannot be done with personal data, but specifically allowing companies to farm anonymous “big data”. Might this be the way forward for data privacy law elsewhere, providing tech industries with the means to grow and expand, but setting effective parameters within which this must be done?

A great deal rests on a successful conclusion being reached by negotiators and legislators in the coming weeks.  

Sarah Pearce is a partner at Cooley LLP’s London office. Her primary focus is on technology and her practice covers a broad range of commercial legal aspects in technology-related transactions.