Prepare For Changes To The US-EU Safe Harbor

Author:Mr Neil Ray
Profession:Sheppard Mullin Richter & Hampton

In the aftermath of disclosures of the extent of U.S. government monitoring of private communications, the European Commission is currently considering changes in the U.S.-EU Safe Harbor framework. The EU and its member states already have some of the strictest data privacy laws in the world. Under current EU law transfer of personal data the United States is generally prohibited because the United States fails to meet the EU "adequacy" standard for privacy protection. Current law provides a "Safe Harbor" in cases where the U.S. recipient of data can certify to the U.S. Department of Commerce that it meets the privacy requirements set up under the U.S.-EU Safe Harbor Framework. Such certification now allows the transfer of personal data.But in light of newly-disclosed privacy threats such as the surveillance program of the U.S. National Security Agency, (NSA),the European Commission has proposed several changes to the US-EU Safe Harbor program, including the following:

The Safe Harbor must become more transparent; The program must be revised to contain an alternative dispute resolution procedure; Compliance with the Safe Harbor must be more actively enforced and audited by the U.S. Department of Commerce; and, U.S. authorities must make clearer the circumstances under which they will gain access to EU personal data processed by a Safe Harbor self-certified company. If these recommendations are all implemented, they will increase the compliance burden on companies participating in the Safe Harbor ("Safe Harbor Company") with respect to the personal data of their EU-based employees and customers. In particular, a Safe Harbor Company would be required to do the following things to comply:

publish its privacy policies, and its website privacy policies would need to include a link to the Department of Commerce's Safe Harbor List; publish the privacy provisions of contracts with any subcontractors (e.g., for cloud computing services); notify the Department of Commerce of onward transfers of personal data; offer an alternative dispute resolution system to EU citizens in its privacy policy and include a link to the ADR provider; be subject to regular external audits by the Department of Commerce to assess its actual compliance with the Safe Harbor principles and its privacy policies; and provide a sufficient description of U.S. laws requiring disclosure of personal data, how U.S. authorities may use those laws to gain access to EU...

To continue reading