The July 2000 Safe Harbor agreement between the United States and Europe concerning cross-border data flows is one of the key regulatory structures governing how organizations can collect, store, move, and use the massive amount of personal data generated in our interconnected world. Fourteen years after its inception, the agreement is under increasing strain from the rapid pace of technological innovation, high-profile breaches of consumer data, and the continued fallout from the Edward Snowden revelations. The EU and U.S. are in the process of updating the original agreement to reflect these new concerns. The implications for organization data operations and privacy policies could be significant, creating new regulatory structures and demanding new procedures and safeguards.

Why and How Is Safe Harbor Changing?

The U.S. and Europe have evolved different conceptions of privacy for a host of regulatory, political, legal, and consumer expectation issues. These differences were exacerbated by the revelations of former NSA contractor Edward Snowden. Those revelations, combined with EU-U.S. trade negotiations, rapid changes in technology, and (EU) citizens’ expectations have led to a reassessment of the program.

In November 2013, the European Commission put forward 13 separate recommendations to promote “the continuity of data protection rights of Europeans when their data is transferred to the US.” Among the recommendations raised by the Commission is greater transparency requiring companies to disclose privacy policies not only to federal regulators, but also to the public at large, and the Department of Commerce to become more active in publicly flagging companies that are not in full compliance with the agreement.

A second subset of the recommendations seeks to make redress and enforcement easier for aggrieved Europeans by allowing better access to alternative dispute resolution bodies and proposing suspensions for noncomplying organizations, inspections of self-certifying companies, and aggressively investigating false claims of adherence to the Safe Harbor.

Finally, the Commission wants the national security exception in the Safe Harbor to be narrowly drawn and that companies provide information as to when and how they respond to requests from law enforcement and national security agencies.

In March, the European Parliament issued a resolution to suspend the Safe Harbor agreement due to the Snowden revelations. Though nonbinding, the resolution adds political pressure on the Commission to strengthen Safe Harbor regulations. The resolution was followed by the release of additional recommendations from the Article 29 Data Protection Working Party to the Commission for inclusion in the ongoing negotiations between the EU and U.S. However, the Article 29 Working Party also recommended the suspension of the Safe Harbor program if the current negotiations do not lead to a positive outcome. It is important for our clients participating in the Safe Harbor program to be informed about potential changes to allow time to adopt measures to ensure continued EU-U.S. cross-border data processing operations. Where appropriate, we will also link this to the ongoing discussions about the new general EU data protection framework.