Striking down the business-friendly Safe Harbor protocol will force US firms to find other ways to ensure compliance with EU data privacy laws
A decision handed down by the European Court of Justice (ECJ) -- the EU’s highest court -- on October 6 will force roughly 4,500 businesses to change their practices around data privacy. Companies that have relied on an EU-wide Safe Harbor Privacy Principles to transfer personal data between Europe and the US can no longer do so. Instead, they will have to adopt a different strategy to protect the personal data of EU citizens, or stop transferring personal data altogether.
‘This decision will have an immediate and disruptive impact on commercial relationships between the US and the EU,’ said Mary Hildebrand, founder and chair of Lowenstein Sandler’s privacy practice. ‘In addition to technology giants such as Facebook and Yahoo, there are thousands of other companies and organizations that rely on the Safe Harbor protocol to conduct business across borders, and/or for intra-company transfers of personal data. All of these organizations must immediately assess the impact on their business, evaluate the alternatives and move expeditiously to implement a new structure.’
In striking down Safe Harbor, the ECJ made clear that it does not believe the protocol provides the privacy protection it promises. Hildebrand explained “the ECJ believes that national security, public interest and law enforcement requirements of the U.S. prevail over the Safe Harbor, so that US companies and the US government are ‘bound to disregard, without limitation, the protective rules laid down by that scheme where they conflict with such requirements.’”
As a result, the Court concluded that the Safe Harbor did not sufficiently protect Europeans’ privacy rights and, therefore, had to be struck down.
The decision has ‘no logic in it or analysis in it,’ says Alan Charles Raul, founder and leader of Sidley Austin’s privacy, data security and information law practice,.’It’s just a statement declaring the Safe Harbor invalid.’ Raul also sees it as ‘incongruous’ for the ECJ to focus on American intelligence and law enforcement activities when the EU’s own protections had exceptions for its own intelligence services. He further expresses frustration with the ECJ’s legal process, noting that no company had had the opportunity to be heard on the issues, nor had the US government, because the ECJ does not have a ‘friend of the court’ procedure. As a result, the claims of Edward Snowden, which underlay the ECJ’s concern, went unchallenged, Raul says.
The broader data privacy context within which the ECJ issued its decision includes many moving pieces not only on the judicial front, but in the legislative and diplomatic arenas as well, says Hildebrand says.
‘There are two chains of events. One starts with Edward Snowden’s revelations in 2013. Part of that was the EU requested modifications in the safe harbor, so the EU and US have been negotiating. They are close to inking an agreement,’ she says. ‘The second chain of events began in 2012 when the EU Commission introduced a whole new regime on data privacy, which, if fully adopted, would have the force of law. It is expected to be approved in its final form in the next few months.’
While nothing is guaranteed, the final deal and rule are expected to be broad enough to address the privacy concerns raised in the case the ECJ ruled on. Nonetheless, the new rule and diplomatic agreement will not resolve the issues. The ECJ decision means that ‘even if the safe harbor is revised through the current negotiation process, the separate data authorities in each EU member state still have the right to investigate and refer issues regarding the new safe harbor to the Court,’ Hildebrand adds.
Both Raul and Hildebrand have advice regarding compliance for companies. One way that companies can legitimize their data transfers from the EU to the US is to adopt ‘model contracts’ that use standard language put out by the European Commission, Raul says. Other strategies could include adopting binding corporate rules that protect privacy, getting consent for the data transfer from each individual EU citizen involved, or memorializing the reason the data transfer is necessary for purposes of executing a contract to which that person is a party. An example of the last situation might be the transfer of human resources information for an employment contract.
Hildebrand’s advice is organized around three points: assessing impact, evaluating alternatives, and developing a plan. Regarding assessing impact, she emphasizes that the decision takes effect immediately, there is no appeal, and the impact is broad. As of now, companies ‘cannot continue to transfer [personal] data from the EU to the US without implementing an alternative method to ensure that protection of such data is deemed adequate under EU laws.’ That means that any personal data of EU citizens that a company has collected and stored in the US (including cloud storage) now should be removed from the US and returned to the EU, and ideally to the country of origin.
‘These realities apply to consumer directed enterprises, business to business operations, intra-company transfers, and to a myriad of other transactions that depend on the ability to transfer EU personal data to the US pursuant to the Safe Harbor,’ she explains.
As for alternatives, Hildebrand agrees that consent, model contracts and binding corporate rules are the primary options, but says that none of these is particularly business-friendly, which is why the safe harbor was so popular. Finally, any compliance plan should include a firm, expedited implementation schedule, she adds.
Although the decision goes into effect immediately, both Raul and Hildebrand are optimistic that European data agencies are likely to proceed reasonably and recognize that compliance will take a little time.