Now that Sunday’s deadline to reach a deal on a new Safe Harbor framework between the United States and European Union has come and gone, the question for many companies is what, if anything, they are going to about it.
American and European negotiators, meanwhile, continue to work on an agreement before European regulators issue a ruling on how data can be shared, which is expected on Wednesday.
Safe Harbor was a framework of principles regarding opt-in/opt-out, onward transfer of data to third parties, security, use, access, and compliance that had been in place since 1998. It allowed U.S.-based companies to transfer data about their European customers, regardless of which country they were in, to the United States, provided that they followed the guidelines set out in the framework.
On October 6, 2015, the European Court of Justice, fearful that U.S. law does not adequately protect the privacy of EU citizens, declared Safe Harbor invalid. Representatives from the United States and the European Union had until Sunday to come up to a compromise agreement that would have allowed the program to continue. Basically, if a company abides by Safe Harbor, it can avoid adhering to the patchwork of privacy laws, regulations, and directives form each of the EU’s 28-member countries.
Fortunately, for most companies doing business in the EU, Safe Harbor is a non-issue. This also holds true for U.S.-based companies doing business with the Swiss, since there is a separate Safe Harbor framework in place for Switzerland. Also, if a company is not subject the jurisdiction of the Federal Trade Commission or the Department of Transportation, then Safe Harbor doesn’t apply, either.
For these companies – and most of the companies doing business in Europe, it turns out – model contracts are the preferred method of securing data transfer rights, said Carsten Casper, a managing vice president at Gartner. Model contracts (also called standard contracts or model clauses) are standard contractual clauses that U.S.-based companies can use to transfer data out of the EU. They are binding, legally enforceable, and cannot be modified. Companies have to adopt them as written by the European Council and the European Parliament.
“Most companies have been using model contracts anyway. Tens of thousands of companies are using standard contractual clauses,” said Casper, an attorney who has been working with these issues since the days of the PATRIOT ACT in the 2000s. “What happens now … is those companies that have been relying on Safe Harbor; they are now shifting to model contracts.;