Safe Harbor Decision and its implication for EU Merchants

The European Commission and the US agreed on a new framework (EU-US Privacy Shield) for the transatlantic flow of data on 2 February 2016. So, what brought us to this point and what does it really mean for EU merchants?

The so-called “Safe Harbor” agreement was made by the European Commission in 2000 and allowed around 4,500 US companies to transfer data from the EU under specific data protection standards. In 2013, a claim against Facebook was brought to the Irish Data Protection Commissioner (IDPC) by Austrian law student Max Schrems. He suggested, on the back of claims made by Edward Snowden regarding alleged access to certain private data by US intelligence authorities, that Facebook (Ireland Limited) was transferring personal data to the US under circumstances where the laws and practices in the US presented no real protection against the sharing of that data.

The IDPC decided it was a matter for the European Commission. The case was finally put to the European Court of Justice (ECJ). In October 2015, the ECJ found that the existence of a Commission decision finding that a third country ensures an adequate level of protection of the personal data transferred cannot eliminate or even reduce the powers available to the national supervisory authorities. In other words, the decisions made by (EU) national supervisory authorities on the adequacy of data protection measures by a third country to which their citizens’ data is transferred, override European Commission decisions made under the Safe Harbor agreement.

Once the ruling was made by the ECJ, the European Commission and US authorities set about to produce a relevant and working replacement for Safe Harbor. EU Commissioner for Justice, Consumers and Gender Equality, Vera Jourová, gave a speech in Strasburg on 2 February 2016, where she announced the Commission had finalised negotiations with the US on a renewed and safe framework for transatlantic data flows.

Jourová promised a conclusion of “a strong and safe framework for the future of transatlantic data flows” with an arrangement that protects the fundamental rights of Europeans and ensures legal certainty. In her speech, Jourová outlined the key achievements of the negotiation:

1. Clear safeguards and transparency obligations on US government access to data. The Commission and the US Department of Commerce agreed to carry out an annual joint review to ensure the commitments are made and upheld.

2. Effective protection of European’s right - any citizen who considers their data has been misused under the Safe Harbour scheme will benefit from several accessible and affordable dispute resolution mechanisms. Individuals can go to EU Data Protection Authorities, who will work together with the Federal Trade Commission to ensure that complaints by EU citizens are investigated and resolved. These cases should be resolved in a reasonable timeframe: if DPA refers a case to the US, the Department of Commerce will have a deadline to respond.

• If a case is not resolved by any of the other means, as a last resort there will be an arbitration mechanism.
• Redress possibility in the area of national security for EU citizens will be handled by an Ombudsman independent from the US intelligence services. This is a new tool specifically foreseen for this arrangement.
• Once the judicial redress act is passed, EU citizens will for the first time have access to US courts in the context of personal data being used for law enforcement purposes.

3. There will be strong obligations on companies handling the data:

• There will be regular updates and reviews of participating companies by the Department of Commerce.
• The new arrangement will be transparent and contain effective supervision mechanisms to ensure that companies follow the rules to which they agreed. If companies do not comply in practice, they face sanctions and removal from the list.
• There will be tightened conditions for onward transfers to other partners by the companies participating in the scheme.
So what should you do if you are a Merchant, based in the EU, and are currently relying on the Safe Harbor agreement to transfer personal data to the US?
• It goes without saying, consult a legal advisor qualified in international data protection.
• Subscribe to the contractual clauses produced by the European Commission. (The EC issued a set of standard contractual clauses for the transfer of data from data controllers to data controllers, established outside of the EU/EEA and a set of standards for the transfer of data to processors outside the EU/EEA.) While the documents do not specifically describe how to implement the standards, they do refer to the rights of the consumer which must be upheld. Compliance is a step in the right direction from a risk of litigation.
• Put a data protection agreement into place between the EU company and the US partner which specifically outlines the terms of the exact data being processed, how it is processed and the measures in place to protect the data.
• Brand loyalty is largely important for the growth of any merchant. With stories running every day about data hacking incidents and personal data being handed over to law enforcement authorities, consumers are becoming more aware of the merchants to whom they are willing to hand over their personal details.
They have concerns. Being able to provide valid reassurance to EU consumers that their data is being held as safely as it is in their own country is a step in the right direction for businesses conscious of their customers’ concerns.

Realistically, a US company can only really guarantee protection of its EU customers’ data by complying with the same data protection controls that are enforced on European merchants. This means compliance with the data protection legislation for all 28 EU States. National data protection legislation can vary quite a bit across the different EU States, ergo, compliance is a mammoth task. The new EU-US Privacy Shield will likely be a catalyst for relevant merchants to start taking their EU customers’ rights very seriously.

More and more consumers are becoming aware of the issue of data protection. While there is a lot of choice in the market for most products and services, consumers will likely start to look at those merchants who offer a promise to fulfill their privacy obligations and take all necessary steps to ensure you can really be trusted with their personal data.

About Úna Dillon

Úna Dillon is the Managing Director of MRC Europe, responsible for providing overall leadership of the MRC’s European operations including business development, programme and educational development, member recruitment and strategic management. She has over 19 years’ experience in financial services, payment card scheme management and strategy, European policy and membership associations.

About Merchant Risk Council

With the vision of making commerce safe and profitable everywhere, the Merchant Risk Council (MRC) is the leading global trade association for eCommerce fraud and payments professionals. The MRC provides year-round support and education to members by offering access to proprietary benchmarking reports, workshops, whitepapers, presentations and webinars. MRCs membership has grown to include almost 400 of the worlds most prominent merchant organizations, over 70 industry solution provider companies and multiple law enforcement agencies in the US and Europe.