U.S.-EU Safe Harbor: Clearing the Waters

For organizations collecting personal data across European markets, the waters of the U.S.-EU Safe Harbor may seem murky in the wake of some EU data authorities questioning its application to cloud computing and its long term viability in the face of upcoming changes in EU privacy law. I hope to provide some clarity here.

Earlier this month I had the pleasure of meeting Krysten Jenci, the Director of Electronic Commerce for the International Trade Administration (ITA) and head of the U.S. Department of Commerce’s Safe Harbor Frameworks team, and Christopher Hoff, one of the two Administrators on that team. As part of the ITA’s effort to promote a better understanding of the role the Safe Harbor Frameworks play in facilitating commerce between the U.S. and Europe, Krysten and Chris came to Portland, OR to meet with privacy professionals and counsel (including fellow IAPP and ACC members) to discuss the continuing viability of the U.S.-EU Safe Harbor Framework and initiatives in furtherance of the White House Privacy Blueprint. While they were preaching to the choir with regard to the continuing importance of the US-EU Safe Harbor Framework, some points made during the discussion bear repeating:

  • Under existing law, the data protection authorities of the European Economic Area (EU member states, Liechtenstein, Iceland, and Norway) are obligated to accept that Safe Harbor-certified U.S. service providers are as “adequate” as EU-based service providers in providing data security for processing personal data transferred from the EU. Moreover, the U.S.-EU Safe Harbor applies to cloud service providers as well. This shouldn’t be news, but to counter questions raised by the non-binding July 2012 Article 29 Data Protection Working Party Opinion on Cloud Computing and related statements made by certain EU officials, the ITA recently published clarifications on this subject to set the record straight.
  • In a service agreement between a data controller and U.S. Safe Harbor-certified processor, it is not necessary to include the EU standard contractual clauses to assure the data security of personal data from the EU, because certifying adherence to the Safe Harbor principles provides adequate assurance of data protection. If you once negotiated with a European counterpart who insisted otherwise, you know that creating the proper understanding in this regard can be an uphill climb.
  • Even after the proposed EU General Data Protection Regulation (Proposed Regulation) is finalized, the U.S.-EU Safe Harbor Framework may continue to be recognized as affording adequate assurance of personal data protection, because the Proposed Regulation grandfathers in such recognition. Although one proposed amendment to the Regulation (often referred to as the Albrecht amendment) would have the recognition sunset two years after the Proposed Regulation takes effect, passage of this amendment is not assured and even if it were enacted, the sunset provision would take effect no earlier than 2016. 

Finally, even where there is a clear understanding among a company’s privacy and legal teams on the value of the US-EU Safe Harbor Framework and its role in facilitating commerce between the U.S. and Europe, this understanding may not be shared with the company’s engineers tasked with planning how to transfer and process data from several countries most efficiently. Engineers lacking knowledge of the benefits of Safe Harbor could mistakenly conclude that EU law requires keeping EU data hosted within the EU, even when it would be more efficient or otherwise desirable from a business perspective to centralize hosting in the U.S. with a Safe Harbor-certified services provider.

So, here’s a call for spreading the good word on the continuing viability of Safe Harbor and clearing up any misunderstandings that may be muddying the waters for your engineering teams and others involved in planning international data exchanges. They will thank you for it.