Privacy Shield Starts, Now What About that Safe Harbor Statement in Your Policy?

As of today, companies have the ability to self-certify as members of the EU-US Privacy Shield.  It may also be a good day to review the Safe Harbor language many companies have retained in their privacy policies.

Many companies have retained Safe Harbor language in their policies, even after adopting model contracts.  They have done so for a number of logical reasons: they still follow the rules, previously collected data is covered under the Safe Harbor commitment, temporarily changing the policy could be confusing, and contractual obligations to be in Safe Harbor continue. Keeping Safe Harbor langauge has been the opinion of many outside counsel.

But some EU regulators may not agree.  The CNIL claim last week against Microsoft follows a similar claim against Facebook regarding Safe Harbor language in their privacy policy. The CNIL pointed to the Safe Harbor language in the privacy policy to make the claim that the companies had no legal basis to transfer data to the US.

In each case, the companies had model contracts in place. The Microsoft policy even specifically explains that the company uses “a variety of legal mechanisms, including contracts, to help ensure your rights and protections travel with your data.”

The CNIL charge is difficult to understand.  But given the CNIL position, perhaps companies should add even more language to their policies explaining the purpose of retaining the Safe Harbor language and expressly detailing that it is not the current legal basis for data transfer.  Perhaps removing the language altogether is a good idea. Perhaps the CNIL and other Data Protection Authorities will only raise this issue with big companies as an aside to other issues they are contesting.