Good and Bad News on Safe Harbour: Take a Life Ring or Hold Out for a New Agreement?

By Susan Richardson, Manager/Content Strategy, Code42

If your organization relied on the now-invalid Safe Harbour agreement to legally transfer data between the U.S. and the EU, there’s good news and bad news.

The good news? The European Commission just threw you some life rings. The governing body issued a guidance Nov. 6 that outlines alternative mechanisms for legally continuing transatlantic data transfers:

Standard contractual clauses

Sometimes referred to as model clauses, standard contractual clauses are boilerplate provisions for specific types of data transfers, such as between a company and a vendor. They’re often the least costly on a short-term basis.

Binding corporate rules for intra-group transfers

These allow personal data to move freely among the different branches of a worldwide corporation. Sounds easy, but the process can be time-consuming and expensive, depending on the scope of the company. That’s because the rules have to be approved by the Data Protection Authority (DPA) in each member state from which you want to transfer data.

Derogation where contractually necessary

This exception allows for data transfers that are required to fulfill a contractual obligation. For example, when a travel agent sends details of a flight booking to an airline.

Derogation for legal claims

This exception allows for data transfers that are required to process a legal claim.

Derogation based on individual consent

Legal folks say this option isn’t a slam dunk. Many DPAs have ruled that it’s not possible to obtain meaningful consent from employees, given the lopsided nature of the employer-employee relationship. On the consumer side, it may be difficult to demonstrate that consumers provided meaningful consent if the relevant notice is embedded in a lengthy privacy policy they may never read. Data privacy experts at law firm BakerHostetler recommend a click-through privacy policy with an “I agree” checkbox, as opposed to a browsewrap privacy policy that implies consent by virtue of the consumer simply using the website, app or service.

The bad news? You only have until the end of January 2016 to get the new mechanisms in place before DPAs start investigating and enforcing transfer violations. Or you could hedge your bets and hold out for U.S. and EU negotiators to hammer out a Safe Harbour 2.0 agreement by then, as they’ve committed to do.

After all, the U.S. House of Representatives did surprise everyone by quickly passing the baseline requirement for moving forward on October 20th: the Judicial Redress Act would give EU citizens some rights to file suit in the States for U.S. government misuse of their data. It was received in the Senate and referred to the Committee on the Judiciary on October 21.