The EU Data Protection Directive 95/46/EU (which is transposed into Irish law by the Data Protection Act 1988 – 2003) provides that organisations transferring personal data from Ireland (or from anywhere in the European Economic Area) to countries outside the European Economic Area must ensure that recipient country provides an ‘adequate’ level of data protection.
(The European Economic Area is the 28 member states of the EU along with three of the four member states of the European Free Trade Association (EFTA), Iceland, Liechtenstein and Norway.)
What is Safe Harbor
One of the best known ways of transferring data from the EEA to the U.S., while ensuring an ‘adequate’ level of protection, is under the Safe Harbor data protection framework standards. Safe Harbor in Ireland is increasingly being used by Irish data controllers to export data to U.S. based subcontractors or affiliates..
The Safe Harbor arrangement is a voluntary but enforceable code of good data protection practice established in November 2000 by the United States Department of Commerce and the European Union. Safe Habor regulates the way U.S. companies who sign up to it process (store, transfer and handle) personal data (for example, names, addresses and dates of birth) of European citizens.
(The remaining EFTA member, Switzerland, has enacted a separate U.S.-Swiss Safe Harbor Framework.)
Why use Safe Harbor?
Safe Harbor sets out a framework of data protection standards that allow the free movement of personal data from a data controller in the EEA to a data controller in a US organisation that has (a) joined the scheme and (b) agrees to abide by the scheme rules. The Safe Harbor framework tries to help reduce the administrative burden of complying with the Data Protection Act.
Interestingly, the privacy policies of many US technology companies prominently claim that their organisation “adheres to the Safe Harbor Principles” and is “a certified licensee of the TRUSTe EU Safe Harbor Seal and abides by the U.S.-EU Safe Harbor Framework and the U.S.-Swiss Safe Harbor Framework as set forth by the U.S. Department of Commerce and the European Union”.
What are the risks with Safe Harbor?
The Court of Justice of the European Union (CJEU) and the European Commission are currently considering whether the US/EU Safe Harbor framework should remain in its current form or be modified. This is due, in part, to the fact that European regulators are concerned that Safe Harbor is a voluntary code and doesn’t provide firm contractual protections from the signatories. Moreover, the recent revelations regarding the NSA and its alleged spying and harvesting of data from major US technology companies has heaped consumer scrutiny on the framework. What the CJEU and European Commission decide may have practical implications for organisations transferring data to non-EEA countries and means relying solely on Safe Harbor.
How can my organisation lower the risk of transferring data to the US?
If a non-EEA recipient country does not provide an ‘adequate’ level of data protection, then an Irish data controller transferring personal outside the EEA commonly relies on the receiver signing up to the EU-approved Model Contracts, which contain data privacy safeguards that satisfy EU standards.
Transfer and export of EU personal data to U.S. organisations that have not signed up to the Safe Harbour framework, are subject to the same restrictions as transfers to other unapproved third countries. Commonly, an Irish data controller will ask the receiver to sign up to the EU-approved Model Contracts.
Safe Harbor is in a period of flux and may not survive the next 12 months in its current form. Accordingly, when transferring data to U.S. entities, EU data controllers should strongly consider requiring the U.S. recipient organisations to, in addition to complying with the voluntary Safe Harbor framework, also sign the EU-approved Model Contracts.
Photo credit: EU2015.tv