Management, compliance & auditing

Is Safe Harbor 2.0 Another Tug of War between Privacy and Security?

Dimitar Kostadinov
December 10, 2015 by
Dimitar Kostadinov

What led to the Safe Harbor's Demise?

In Schrems v. Data Protection Commissioner, the Court of Justice of the European Union (also known as CJEU or ECJ) held that the application of the U.S.-EU Safe Harbor framework violated the "adequate protection" rule concerning the processing of personal information of EU citizens by non-EU organization as set out in the European Data Protection Directive. According to the Court, the American national security and law enforcement interests had priority over the Safe Harbor agreement, and the U.S. organizations handling personal data from the EU were "bound to disregard [the framework's] principles without limitation where they conflict with [national security and law enforcement] requirements." Furthermore:

"The United States authorities were able to access the personal data transferred from the Member States to the United States and process it in a way incompatible, in particular, with the purposes for which it was transferred, beyond what was strictly necessary and proportionate to the protection of national security," the ruling also said.

Adequate Protection

Pursuant to Article 25(1) of the EU Data Protection Directive, transfers of personal data to non-EU countries "may take place only if […] the third county in question ensures an adequate level of protection." Therefore, ensuring adequate protection is a condition sine qua non for transferring of consumer information from the EU to the U.S.

"The advantage of safe harbour was that it functioned as a kind of 'one stop shop' allowing for the export of personal data to the US, whoever in Europe it came from, without the need to ask for consent, or to enter into bilateral agreements, over and over again," remarked Patrick Van Eecke, co-head of the global privacy practice DLA Piper.

The European Commission has main authority to decide which country outside the European Union has sufficient data protection measures to satisfy the adequacy rule. Among other things, it bases its decision on the domestic law of the third country under review or the international commitments this country has entered into. The list of the countries considered as offering such a level of adequate protection can be found here. States members of the EU can make an assessment of the adequacy of countries that do not belong the politico-economic union, as well. Exceptions to this general rule are: binding corporate rules, European Commission's standard contractual clauses, or six specific derogations listed in Article 26(1) of the Data Protection Directive.

Alternative Ways to Transfer Knowledge from the EU to the US

As it was mentioned earlier, American companies can no longer rely on self-certification obtainable via Safe Harbor. The impact on large U.S. tech companies that operate with EU consumer data, such as Facebook, will likely boil down to huge quantities of paperwork. Perhaps smaller companies will be most affected. European Small and Medium-sized Enterprises have especially derived benefits from the practicality and certainty of Safe Harbor. In fact, SMEs will be hardest hit by impeded movement of international data flows, since they amount to 60% of all participants that adhered to the agreement.

"Until such time as the renewed transatlantic framework is in place, companies need to rely on the alternative transfer tools available," advises a new guide issued by the European Commission to help business find other ways to legally export personal information to the U.S. What are actually the alternative transfer tools available?

Many American companies have already established, or are in the process of setting up, EU-based data centers for their European customers as a permanent solution to abide by the adequate protection rule. Examples of such companies are Google, Facebook and Apple. Ireland seems to be a preferred location for that purpose, inter alia, because of its privacy-friendly legislation.

However, building oversees headquarters can be expensive. Aren't there less expensive ways in order U.S. firms to comply with this treacherous requirement called "adequate level of protection?"

Yes, there are! Let's examine the legal recourse:

Binding Corporate Rules

Multinational corporations, which have a branch both within European Union and within a country where the adequacy rule is not applied but is required by law, can resort to this international code of practice for transfers of personal data between companies belonging to the same multinational corporation. National data protection authorities must approve the binding corporate rules by virtue of their own national legal procedures.

Standard Contractual Clauses

The European Commission adopted three sets of standard contractual clauses – first two sets are for transfers between data controllers and the third one is between a data controller (i.e., a person who /either alone or with others/ controls the contents and use of personal data) and a data processor (i.e., a person who processes personal data on behalf of a data controller).

Contractual clauses for transfers from a controller to a controller:

(First model 2001/497/CE); (Second model 2004/915/CE);

Contractual clauses for transfers from a controller to a processor:

(Before 15 May 2010: 2002/16/CE; After 15 May 2010: 2010/87/EU). Please see FAQs (WP176) about contractual clauses following Decision 2010/87/EU.

What is important to note is that these clauses offer sufficient safeguards with regard to the protection of the privacy, fundamental rights and freedoms of European citizens, as required by Article 26(2) of the Data Protection Directive. By incorporating the standard contractual clauses into any kind of contract, personal data can flow from a data controller located in Europe to a data controller in a country not ensuring an adequate level of data protection. Additionally, except under very specific circumstances, national data protection authorities are not empowered to impose a ban on such transfers.

Article 26(1) Derogations

  • Consent
    • Unambiguous
    • Prior the transfer
    • Specific (for a particular instance of data transfer)
    • Informed (stressing on the lack of adequate data protection in the destination country)
  • Necessary for the performance or conclusion of a contract (e.g., personal data can be necessary for a credit card payment made by the data subject /an individual who is the subject of personal data/ in a country outside the EU).
    • Substantial link exists between the purposes of the contract and the data subject's interest
    • Necessity of transferring the data outside the EU
    • Cannot be used for human resources purposes of "subsidiary-parent company" type, or payroll management
    • No additional information not necessary for the purpose of the contract
  • Vital interest of the data subject
    • data transferred in the event of medical emergency
    • data must be necessary for an essential diagnosis, not for general medical research
  • Necessary for an important public interest
    • what constitutes "an important public interest" should be defined by the national legislation where the controller is established
    • the concept of "an important public interest" must be interpreted strictly
    • e.g., transfers between tax or custom administrations
  • Exercise or defense of legal claims
    • in accordance with the national rules governing criminal or civil proceedings
  • The transfer is made from a public register
    • Information transferred from a public register "should not involve the entirety of the data or entire categories of the data contained in the register."


These derogations to the "adequacy" rule should be interpreted restrictively; moreover, they are applicable when the risk to the data subject is small, and they could not justify massive or repeated transfers of personal data.

The alternative means of EU-U.S. data flows place the responsibility squarely on the company where the transfer originates. Vĕra Jourová, the European Commissioner for Justice and Consumers, announced in line with this logic: "Whatever they choose, they must be able to prove that the protection is in place, that they guarantee the protection of data transferred to the U.S. This is especially a challenge for SMEs."

Within the legal bounds that entitle parties to a data transfer the freedom to choose a method, Sarah Crabb from Blancco Technology Group proposed some additional measures companies could use if they are willing to exchange personal data across the Atlantic. These measures are rather practical, and most of them, if not all, are to be included by any means in the legal recourse, but it is nevertheless worth reminding them:

  1. Transparent data management processes for the individuals whose data is processed – data subjects should be made aware of the terms and conditions;
  2. Implement robust security measures – e.g., data encryption at every stage (during storage or on the move), creating multi-layered passwords, maintain firewalls, etc. Nigel Hawthorn, EMEA director of strategy at the cloud security company Skyhigh Networks, deems that until new Safe Harbor takes effect, encryption may hold the answer to upholding the rule of adequate protection: "Organisations need to investigate technologies such as encryption or risk being dragged through the courts by privacy advocates, customers or employees. Tokenising or encrypting data flows before they are sent to the cloud, and keeping the keys on premise, means all of these issues disappear. There is no 'personal' data in the cloud service once it has been encrypted or tokenised."
  3. Adhere to the seven Safe Harbor principles – 1. notice; 2. opt-out choice; 3. restriction on onward transfer; 4. security of data protection; 5. preservation of data integrity; 6. individual's right to access; and 7. effective enforcement. Even though the agreement is invalid, these principles remain in force.

Debates over a New Safe Harbor Agreement

Representatives of the United States and the European Union have been negotiating a new Safe Harbor agreement for nearly two years – "Safe Harbor 2.0". However, the European court's ruling will certainly put pressure on negotiators to speed up its conclusion.

According to a group of American and European human rights and privacy NGOs, Safe Harbor 2.0 currently is drafted in a way that "will not provide a viable framework for future transfers of personal information" between the two major economic areas. The 20 EU and 14 US organizations instead call upon the politicians "to commit to a comprehensive modernization of privacy and data protection laws on both sides of the Atlantic."


We live in interesting times, times brimming over with changes. On 27 October 2015, the U.S. Senate passed the Cybersecurity Information Sharing Act (CISA). Digital rights advocates describe the bill as a "surveillance bill masquerading as a cybersecurity bill." While most people have focused on CISA's potential to legalize Internet service providers' limitless sharing of Americans' private data with the government, Access, one digital rights group, stressing an already strained relationship with European allies about transfers of data on European citizens to the U.S., is saying that CISA's influence could stretch across the Atlantic. Consequently, that might bring the negotiations of the new Safe Harbor to a halt.

To add insult to injury, the lengthy Safe Harbor negotiations bring forward the different approaches for protecting personal information on the Internet. While in the U.S. privacy is regarded as a consumer protection issue, in Europe is regulated in a similar fashion to the protection of fundamental rights as freedom of expression. It seems that what is needed is a new Safe Harbor 2.0 that will reflect on the concerns of the EU court and that will restore consumer trust; a new agreement that will further digital innovation without being at the expense of fundamental civic rights.

With respect to this point, among other things, the EU is trying to restrict access of U.S. government agencies to EU citizen's data and to promulgate a legal procedure that will grant EU citizens the right to bring U.S. companies that misuse their data before U.S. courts.

A light in the tunnel is the Judicial Redress Act that would give EU citizens the means to initiate a legal action against mishandling of their personal data by the U.S. government. The tech companies have called for its passage and the House of Representatives has passed it on a voice vote on 20 October 2015. Interestingly, the Judicial Redress Act does not envisage any legal remedies against the tech companies themselves. This bill reciprocates the same right of judicial redress in event of failure of European authorities to respect data protection rights of U.S. citizens provided following the conclusion of an umbrella agreement  that sets forth a data protection framework for EU-U.S. law enforcement cooperation.

All these steps, some are already underway others are planned for the future, would soon or later help the two regions walk the winding way to the point of mutual understanding with respect to data protection and privacy: that is a workable Safe Harbor 2.0; until then everyone who wants to legally transfer personal data from Europe to America should make do with whatever legal means he has at his disposal to find another route across the Atlantic.

Reference List

Clark, K. (2015). The EU Safe Harbor Agreement Is Dead, Here's What To Do About It. Available at (01/12/2015)

Crabb, S. (2015). End of Safe Harbor Agreement Doesn't Mean the End of Data Protection. Available at (01/12/2015)

Darrow, B. (2015). Tech Companies are Seizing on the Collapse of the Safe Harbor Agreement. Available at (01/12/2015)

Eversheds LLP (2015). The Working Party Statement. Available at (01/12/2015)

EuroISPA (2015). Safe Harbour 2.0 must serve dual goals of innovation and data protection. Available at (01/12/2015)

First Advantage (2015). US Safe Harbor Agreement in Flux – Now What? Available at (01/12/2015)

Iwata, E. (2015). Safe Harbor ruling sends big ripples through U.S. companies. Available at (01/12/2015)

Gibbs, S. (2015). What is 'safe harbour' and why did the EUCJ just declare it invalid? Available at (01/12/2015)

Kehl, D. (2015). Court of Justice Invalidates Key Part of U.S.-E.U. "Safe Harbor" Agreement. Retrieved at (01/12/2015)

LibertiesEU (2015). Instead of Safe Harbor 2.0, NGOs Propose Privacy Reforms. Available at (01/12/2015)

Macri, G. (2015). Could CISA Derail Safe Harbor 2.0? Available at (01/12/2015)

Millman, R., Curtis, J., Shepherd, A. (2015). US and EU must reach new Safe Harbour deal by January 2016. Available at (01/12/2015)

Moody, G. (2015). Safe Harbor 2.0 framework begins to capsize as January deadline nears. Available at (01/12/2015)

Moscaritolo, A. (2015). EU Gives U.S. 3 Months for New 'Safe Harbor' Data Transfer Deal. Available at,2817,2494588,00.asp (01/12/2015)

PR Newswire Association LLC. Following Rejection of the Safe Harbor Agreement, AT Internet Analyses Impact and Affirms its Analytics Suite's Total Compliance With EU Legislation. Available at (01/12/2015)

Richardson, S. (2015). Good and bad news on Safe Harbour: Take a life ring or hold out for a new agreement? Available at (01/12/2015)

RT. No 'Safe Harbor': Mixed reaction as top European court strikes down EU-US data-transfer agreement. Available at (01/12/2015)

Sayer, P. (2015). EU tells US it must make next move on new Safe Harbor deal. Available at (01/12/2015)

Scott, M. (2015). Data Transfer Pact Between U.S. and Europe Is Ruled Invalid. Available at (01/12/2015)

Stone, J. (2015). Top European Court Kills 'Safe Harbor,' A Major Blow To US Tech Companies Like Google, Microsoft And Facebook. Available at (01/12/2015)

Taylor, S. (2015). It's Clear the U.S. and EU Economies Need a Safe Harbor 2.0. Available at (01/12/2015)

Uehlein, M. (2015). DMA Optimistic U.S. and EU Will Reestablish Safe Harbor Agreement. Available at (01/12/2015)

The three-step graphics on EU Data Transfers are based on a set of tables entitled "Step-by-step decision-making process" in Frequently Asked Questions Relating to Transfers of Personal Data From the EU/EEA to Third Countries

Dimitar Kostadinov
Dimitar Kostadinov

Dimitar Kostadinov applied for a 6-year Master’s program in Bulgarian and European Law at the University of Ruse, and was enrolled in 2002 following high school. He obtained a Master degree in 2009. From 2008-2012, Dimitar held a job as data entry & research for the American company Law Seminars International and its Bulgarian-Slovenian business partner DATA LAB. In 2011, he was admitted Law and Politics of International Security to Vrije Universiteit Amsterdam, the Netherlands, graduating in August of 2012. Dimitar also holds an LL.M. diploma in Intellectual Property Rights & ICT Law from KU Leuven (Brussels, Belgium). Besides legal studies, he is particularly interested in Internet of Things, Big Data, privacy & data protection, electronic contracts, electronic business, electronic media, telecoms, and cybercrime. Dimitar attended the 6th Annual Internet of Things European summit organized by Forum Europe in Brussels.