Editor’s Note: The following post is by Judith Delaney of CMMR Group-TurnsonPoint. Judith is a valued member of Agnes + Day’s Crisis Intelligence Team.
As some of you may be aware through previous articles posted here (or otherwise), for some time now the European Union has been seeking to restate its directives, including its privacy directives, into law/regulations. As we move into 2014, the European Union ‘s continuance of its 2012 introduction of new data protection regulation, the “European Data Protection Regulation” (The Regulation”), scheduled to be put before the European Parliament and Council in the very near future, represents substantial restrictions on how companies handle personal and private data.
Some of the concern with the privacy directives has been centered on the effectiveness of the Safe Harbor Privacy Principles that were drawn up by mutual agreement of the United States Department of Commerce (DOC) and the European Union (EU) intended to meet the standard of adequate privacy protection required by the EU Directive. These Safe Harbor Privacy Principles were approved by the European Commission (the “Commission”) in July, 2000 and went into effect as the Safe Harbor Program in November of that year.
Since any change to the Safe Harbor Program’s privacy principles would directly impact organizations located in the United States, and indirectly worldwide, this article is focused on potential changes to Safe Harbor by the Commission just learned on January 10, 2014 and the impact that these changes may have on organizations.
Background on Safe Harbor
For those of you not familiar with the Safe Harbor Program following is a brief summary:
The Safe Harbor Program was designed to eliminate the necessity of U.S. based companies to obtain prior approval required by the EU privacy directives in order for such entities to conduct electronic data transfers of EU residents’ information, inclusive of personal and private information (“Data Transfers”).
- Participation in the Safe Harbor Program is voluntary.
- In exchange for Safe Harbor certification, U.S. organizations are shielded from prosecution under the EU data-protection directives.
- The DOC makes the list of all self-certified organizations available to the public.
However, the EU (as well as other countries) had and continue to have little or no faith that the standard of adequate protection privacy required by the EU Directive was, or is being, followed by organizations and social media platforms that are conducting Data Transfers under the Safe Harbor Program and its privacy principles. This concern has been primarily directed at organizations and social media platforms located in the United States of America.
This discussion of the EU’s concerns with Safe Harbor privacy principles has been ongoing literally since its inception in 2000.
As a result of a series of meetings and public hearings held by the European Parliament’s Civil Liberties Committee (the “Committee”), after the Snowden revelations regarding the United States’ NSA surveillance program and the impact its had or could have on EU’s citizens’ rights of privacy, the Committee prepared a report in December 2013 that describes its recommendations to alter, limit or eliminate altogether the ability of organizations, private and public, profit or non-profit, to transfer personal and private data about European citizens out of Europe.
According to the report (which itself was leaked), it is the intention of the Committee to submit these recommendations for: European Member States, European organizations, and public review on or about May 2014.
If these recommendations are accepted and implemented, the result could be severe restrictions in Data Transfers between the EU and the U.S. and the rest of the world. These recommendations (as well as other proposals set out in the Regulation as amendments) would:
- Have a substantial impact on organizations’ (for example: Healthcare, SaaS/Cloud) ability to collect and disseminate personal and private information worldwide as part of their day to day operations; and
- Severely curtail the ability of social media platforms (e.g. Facebook, Instagram, Twitter, Google, etc.) to claim they have legitimate grounds for collecting, analyzing or selling the personal data of their users.
Summary of the Recommendations
A summary of the main recommendations for changes to Safe Harbor that would impact the organizations discussed is as follows:
- Eliminate the recognition of the Safe Harbor Program because it does not provide adequate protection for EU residents and instead, require that all transfers should be carried out under the EU’s current contractual clauses known as the Binding Corporate Rules (BCRs);
- Suspend, via the EU Data Protection Authorities, all Data Transfers to any organizations that are self-certified under the Safe Harbor Program, unless such organizations amend their current agreements to require that they agree to and adhere to their obligations under the BCRs in receiving Data Transfers. Going forward this could mean that future agreements for Data Transfers and an organization’s obligation of privacy would be based on the BCRs and not the Safe Harbor Program privacy principles.
- Immediately suspend Commission Decision 520/2000, which approved the Safe Harbor Program privacy principles and related FAQs issued by the U.S. Department of Commerce.
It cannot be emphasized enough that approval and implementation of these recommendations will substantially change, and in some instances, complicate an organization’s brand and the way it conducts their business.
Some may say that is a good thing. Others may not agree.
What is important right now is that organizations need to be aware of these recommendations and keep tuned to updates on this blog for subsequent activity and decisions made in the coming weeks and months around this most important topic.
Disclaimer: The information contained in this document is provided only as general information and may or may not reflect the most current developments legal or otherwise pertaining to the subject matter thereof. Accordingly, this information is not promised or guaranteed to be correct or complete, and is not intended to create, or constitute formation of an attorney-client relationship. The author expressly disclaims all liability in law or otherwise with respect to actions taken or not taken based on any or all of the content of this document.
Judith Delaney is an attorney who specializes in global online privacy laws and issues and social media law. Judith helps organizations integrate new media strategies with business strategies to effectively manage risk associated with online compliance such as the HIPPA Omnibus Rule, global social media private and data protections and contract risk management.
Leave a Reply