Death of Safe Harbor
On 6 October the European Court of Justice, the European Union’s highest legal authority, ruled that the Safe Harbor agreement between the EU and the US is no longer valid. If any of your US-based travel service providers – including travel management companies, online booking tools, expense management tools, global distribution systems or traveller tracking tools – transfer personal data about your EU-based employees to databases or cloud services housed in the US, your company will be affected by this decision.
What is Safe Harbor?
Safe Harbor allows US companies to self-audit that they adhere to European Economic Area standards when protecting the data privacy of European citizens. Data protection standards are significantly tougher in the EEA (the European Union plus Norway, Iceland and Liechtenstein) than in the US. Around 4,500 US companies have signed up to Safe Harbor.
What happened on 6 October?
The ECJ ruled Safe Harbor invalid because it does not allow EU member states’ data protection commissioners to verify whether US companies take adequate steps to meet their privacy commitments. The ECJ also stated that Safe Harbor provides inadequate protection because US companies are required by US law to to allow US government agencies to access any data they like. According to the ruling, US agencies are “able to access the personal data transferred from the Member States to the United States and process it in a way incompatible, in particular, with the purposes for which it was transferred, beyond what was strictly necessary and proportionate to the protection of national security.”
Where does this leave EU companies?
The ruling means that companies whose data is transferred to the US with no safeguards other than Safe Harbor will be in breach of European data privacy laws from 1 February 2016. They could be fined heavily as a result.
What steps can my company take to make itself compliant?
Re-write your service provider contracts
Experts recommend adding specific clauses on data privacy into contracts. The clauses spell out precise requirements to make the service provider compliant with the general data privacy principles they committed themselves to when signing up to Safe Harbor. Examples include rules on onward transfer to third parties, taking reasonable steps to protect data from loss and misuse and only using data for the relevant purposes for which it is collected.
However, it is not 100 per cent certain at time of writing that adding data transfer requirements to contracts will in future be considered an acceptable replacement for Safe Harbor. European member states’ data protection authorities are examining whether standard contractual clauses can remain valid following the ECJ ruling. They will announce their decision by 31 January 2016.
Wait for Safe Harbor 2.0
The ECJ’s ruling follows the revelations in 2013 by former National Security Agency contractor Edward Snowden that US agencies access data on a systematic basis instead of looking only for specific information as allowed under European privacy principles. Ever since that time, Safe Harbor has looked obsolete, which is why EU and US officials started negotiating a new agreement many months before the ECJ ruling.
Negotiations have accelerated since 6 October and European officials say they are making good progress towards concluding the improved agreement by 31 January. If that happens, US service providers could cover themselves adequately once again. However, a “Safe Harbor 2.0” would not be 100 per cent reliable either. Some data protection officials have questioned whether any new agreement, however much improved, could pass examination by the ECJ.
Instruct your service provider to store your data within the EEA
Some European companies, especially in Germany, started to switch business from US providers after the Snowden revelations. As a result, US providers began opening data facilities within the EEA so they would no longer have store European clients’ data within the US. This trend has gathered pace since the ECJ ruling, with companies such as Amazon and Microsoft announcing expanded data storage in Europe.
Case-study – How TravelpoolEurope handles data privacy with service providers
Compliance through contracts
TravelpoolEurope uses two basic contract models. The first covers service providers which store traveller data within either the EEA or a small list of additional territories considered by the EU to provide adequate data protection. For all other countries, the TravelpoolEurope contract includes a non-negotiable 11-page document of precautions the service provider must comply with to ensure it meets EU data privacy standards.
TravelpoolEurope makes significant efforts to limit the data it authorises for transfer to service providers, so they only receive the minimum required to perform their duties. Personnel data is kept within TravelpoolEurope’s own systems and only forwarded where necessary. TravelpoolEurope therefore automatically controls and amends traveller profiles on behalf of all the TMCs it uses globally.
Credit card data is also stored with TravelpoolEurope instead, as is normal, with its expense management tool provider, Concur. TravelpoolEurope creates dummy numbers to match each credit card number, and these are forwarded to Concur in a single file. TravelpoolEurope is also increasing its use of lodge cards and single-use virtual cards to reduce dependence on credit cards, another way of keeping personal data to a minimum.
The TravelpoolEurope perspective – act now to stay compliant
The significance of the ECJ Safe Harbor ruling is not really about whether businesses can stop the US government looking at their data. Many people think their data could in reality be visible to US and other security agencies wherever and however it is stored – even in Europe.
Instead, this is really a compliance issue. Are you following the rules laid down by the EU? At the moment, it is hard to answer that question because no one is sure what the accepted rules are going to be now that Safe Harbor has been torn up.
Clearly, the most important precaution during this period of uncertainty is to educate yourself. Questions to ask include:
- Who are our US-based travel service providers?
- How much personal data do they have about our travellers?
- Where do they store the data?
- What steps do they take to protect our data?
- Who in our company is dealing with this issue? Do we have a dedicated privacy officer (which is becoming increasingly common)?
More will become clear by the end of January 2016, so be ready to review the issue and take decisions then.
Which countries outside the EEA does the EU consider to provide adequate protection for data privacy of individuals?
Andorra, Argentina, Canada, Faroe Islands, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland, Uruguay.