In two congressional hearings yesterday, lawmakers heard testimony describing the importance of cross-border data flows to the modern economy and how critical the U.S. – EU Safe Harbor Framework (“Safe Harbor”) is to the more than half a trillion dollar trans-Atlantic trade relationship. Much of that trade is underpinned by cross-border data flows enabled by the Safe Harbor agreement, and the recent decision by the Court of Justice of the European Union (CJEU) effectively nullifying the agreement in the matter of Maximillian Schrems v. Data Protection Commissioner (Schrems), casts doubt onto how companies may continue to legally transfer employee and customer data to the United States, threatening grave consequences for the economies of both the United States and the European Union (EU).
The Safe Harbor is the primary – and often sole – mechanism under which more than 4,400 companies of all sizes, across all industries, and in both the United States and the EU, legally conducted cross-border transfers of EU citizens’ data to the United States for the past 15 years. The types of data transferred under the Safe Harbor are critical to everyday commerce. For instance, a U.S.-based company will transfer data to process credit card payments by EU citizens and ship purchased goods to those customers, or a U.S.-based company will transfer the data of its European employees in order to process payroll and benefits for those employees – critical functions that, if stopped because the necessary data cannot be transferred, could have immediate negative economic impact.
While other mechanisms exist to conduct data flows, such as binding corporate rules (BCRs), standard contract clauses (SCCs, also called model contract clauses), or the direct consent of EU customers, these mechanisms are of different scopes, covering different types of information and different actors, and are therefore not applicable in all situations. Additionally, they are not necessarily feasible or cost-effective for all companies to employ. BCRs, for example, are exceedingly expensive and burdensome to obtain because a company must effectively obtain the approval of each jurisdiction in the EU from which it transfers data – a process that can often take multiple years to complete. Only roughly 70 companies have BCRs in place because the expense and administrative burden of obtaining BCRs generally places these mechanisms out of reach for small- and medium-sized enterprises, as well as many large companies. The other primary method of transferring data, SCCs, are more easily attainable but are not an easy or quick fix. For companies not presently using SCCs to avail themselves of this mechanism would presumably require they re-open existing contracts to insert the new language. Additionally, only two sets of approved SCCs currently exist, covering only certain types of business relationships. Direct consent is also not a feasible mechanism in all cases, primarily because such consent is usually only valid for one distinct transaction rather than an ongoing practice.
These disruptive challenges have not been lost on the Article 29 Working Party – the collective of European Data Protection Authorities (DPAs). Recognizing the above alternative mechanisms cannot be put in place quickly, the Working Party issued a statement granting an unofficial enforcement moratorium through January 2016. In just three short months from now, however, companies may not rely on the existing Safe Harbor agreement or the enforcement moratorium to transfer data.
Fortunately, prior to the Schrems decision, the Safe Harbor Framework was already under renegotiation between the U.S. Department of Commerce and the European Commission (EC). In 2013, the EC identified 13 areas in which it sought updates to the Safe Harbor – issues on which the EC and Commerce Department are reportedly close to agreement. While this is good news, we caution policymakers that there are several more steps to be taken in the EU before the so-called “Safe Harbor 2.0” agreement can be finalized, and there is no certainty the agreement will be approved by the European Parliament and other stakeholders.
The only relative certainty in this complex time is that absent a Safe Harbor 2.0 in place on February 1, 2016, the vital trade relationship between the United States and the EU could be severely impacted.