Kevin Haley Esq. of Brann and Isaacson explains some of the important issues with changes to the "Safe Harbor" laws in the EU. What is Safe Harbor? In early October, in a case involving Facebook, the European Court of Justice invalidated a 15 year old international agreement that permitted US companies to avoid compliance with the letter of European privacy law. Under the so-called “Safe Harbor” at issue in the Facebook case, US companies were permitted to self-certify that they provided a level of protection comparable to that in the EU to personal data stored on their servers located in the US. The ECJ’s ruling at least in part was based on an allegation that US government electronic surveillance-exposed by Edward Snowden-renders personal data housed on US servers unsafe. The rejection of the so-called EU “Safe Harbor” has at least some American companies scrambling to find a way to comply with EU privacy laws. What does this case mean for US catalogers, and more broadly, what are US catalogers doing to comply with the patchwork of international privacy regulations? Will it matter to your company? This Pub Talk was a good discussion of this potentially far-reaching topic. While the law is still unfolding there are still plenty of things you can get ahead on right now. Kevin explain what may happen, what it will impact and what you should be doing to make sure you aren't surprised later.

1. International Privacy:
New Safe Harbor Requirements
Presented by
Kevin Haley
Brann & Isaacson

2. Outline
• Background on European Developments
• Recent changes
• The legal landscape
• Practical takeaways

3. Background: the EU process
• European Union Governance
▫ The EU issues “directives”
setting goals that all EU member
states must achieve
▫ However, individual nations
decide how to achieve them,
through their own legislative
process
▫ Thus, these goals can be
implemented very differently
from country to country – some
might fail to implement
altogether (“cookie directive”)

4. Background: EU privacy law
• EU Data Protection
Directive (1998)
▫ Prohibits transfer of personal
data to non-EU countries
that do not meet EU
“adequacy” standards for
privacy protection
• US/EU “Safe Harbor
Framework”: standard
procedures whereby personal
data could be transferred to
the US

5. Background: safe harbor
Components of the Safe Harbor
Framework:
• Notice: must notify individuals about purpose
of data collection
• Choice: must give individuals the choice of
whether their personal information will be
disclosed
• Onward Transfer: if transferring information
to a third party, must follow the Notice and
Choice principles
• Access: individuals must have access to their
personal information, which can be amended,
corrected or deleted
• Security: must take reasonable precautions to
protect personal information
• Data Integrity: information collected must be
relevant for the purposes for which it is to be
used
• Enforcement: must be a readily available
independent mechanism for resolving disputes.
Source: http://www.export.gov/safeharbor/eu/eg_main_018476.asp

6. Background: safe harbor (cont.)
• The “Safe Harbor Decision” (2000)
▫ Decided that by meeting the
requirements of the Safe Harbor
Framework, US companies
adequately protected EU citizens’
data
▫ Allowed free flow of personal
information between all 28 EU
countries and US companies in
compliance with the Scheme

7. Recent Changes: Facebook lawsuit
• “Europe v. Facebook Lawsuit”
▫ Maximillian Schrems: Austrian
privacy activist
▫ Brought challenge to Safe Harbor
Decision in European court
▫ Based on US companies’ sharing
personal data with the US
government
VS.

8. Recent Changes: safe harbor invalid
• European Court of Justice declares Safe Harbor Decision
invalid (October 6, 2015)
• Cites Edward Snowden, finding that under the
framework agreement, the
U.S. does not ensure
adequate protection of
fundamental privacy
rights
• Companies can no longer
rely on the Safe Harbor
certification

9. Major Changes: uncertainty
• Extremely broad ruling:
▫ Unclear how US companies can meet EU privacy requirements
▫ Threatens suspending all transfer of data to non-EU countries that violate EU privacy
rights
• Uncertainty:
▫ Provides little to no guidance on compliance going forward
▫ Unclear what data transfer mechanisms are “adequate”
▫ Unclear what rules now apply to the ~4,400 companies operating under the Safe
Harbor framework standards

10. Continuing Developments
• German data privacy authority
(Schleswig-Holstein) issues position
paper (10/14):
▫ Argues that after this decision, there is
effectively no mechanism for lawful
transfer of data to the US
• EU working group issues statement
(10/19):
▫ “EU Model Contractual Clauses” and
“Binding Corporate Rules” can still be
used to lawfully transfer data from the
EU to the US

11. The Legal Landscape
• Now, EU countries’
national authorities
examine whether or not
US companies are in
compliance with EU
directives
• Some countries might
be friendlier than others

12. The Legal Landscape: reactions
Penny Pritzker, US Commerce
Secretary:
this ruling “puts at risk the
thriving trans-Atlantic digital
economy”
Facebook:
“Facebook, like many thousands
of European companies, relies on
a number of the methods
prescribed by EU law to legally
transfer data to the US from
Europe, aside from Safe Harbor”
Differing Reactions on Impact to US Business

13. The Legal Landscape: enforcement
• So, will the decision actually change much?
▫ What are most companies currently doing? (not much)
▫ What enforcement
mechanisms exist?
▫ Who determines who is
breaking the law?
▫ What can they do about it?

14. Enforcement: Russia
• New Russian Law:
▫ Any data about Russians
must be stored in
Russia
▫ An attempt at actual
enforcement?
▫ How does this compare
to the EU approach?

15. Enforcement:
• Who is the target of this
decision?
• Does the EU’s concern with
NSA information collection
really have a connection to
most US business?
• Is it just Facebook, Google,
and Amazon?

16. Practical Steps: Options
• Wait and see
• If you have them, maintain Safe Harbor practices
• Review active contracts
• Update contracts/policies to comply with EU Model
Policies and Rules
• Consider using EU-based providers without affiliates in
the US

17. Questions?