I would like to introduce you to my colleague and friend Carsten Casper, who has been following today’s announcement from the European Union Commission regarding Safe Harbor. He believed this was an important event for our clients and wanted to provide some immediate comments and analysis on the topic. This coincides with another colleague of mine, Jay Heiser, who is also providing insight via his blog. Please take the time to read below– it is enlightening. Thank you!
Written by: Carsten Casper, Managing Vice President, Digital Workplace Security
The European Court of Justice (ECJ) ruled on October 6, 2015 that the EU Commission decision known as Safe Harbor is invalid. In practical terms, this means that 28 different EU data protection agencies can now decide whether or not a particular company’s data transfer arrangement between the EU and the US is legal. The full text of the ECJ ruling is available at http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-10/cp150117en.pdf .
This is only the latest in a series of developments about privacy differences between the EU and the US, which also includes the umbrella data protection agreement (see http://europa.eu/rapid/press-release_MEMO-15-5612_en.htm) for law enforcement collaboration, the US attempt to access a Microsoft email account in Ireland (see http://www.bloomberg.com/news/articles/2015-09-09/microsoft-argues-for-data-security-in-landmark-court-appeal) and the upcoming EU General Data Protection Regulation (see http://ec.europa.eu/justice/data-protection/international-transfers/binding-corporate-rules/bcr_cooperation/index_en.htm) with its potential extraterritorial scope.
The immediate result is uncertainty in the market.
The course of action for companies depends on various factors, especially the type of personal data being processed, whether it’s employee or customer data, and the countries in which a company operates. Since there are various legal options and implications and Gartner does not give legal advice, companies should seek information from qualified legal counsel, such as Hogan Lovells, DLA Piper, Hunton & Williams, Latham & Watkins, White & Case. A good overview of possible actions is provided at http://www.dataprotectionreport.com/2015/10/day-after-safe-harbor-action-plan-anticipating-ecj-schrems-decision/ .
• Companies need to obtain legal advice, but should also consider that this is a new situation for the legal profession, including the various EU data protection authorities (DPAs).
• Replace Safe Harbor with EU Standard Model Contracts (mid-term), Binding Corporate Rules (long-term) or consider free explicit individual consent for data transfers (not scalable) or other derogations (narrow scope). As of Oct 6th, 2015 a total of 4465 companies have current Safe Harbor certifications (not expired, see https://safeharbor.export.gov/list.aspx ), 76 companies use Binding Corporate Rules (list at http://ec.europa.eu/justice/data-protection/international-transfers/binding-corporate-rules/bcr_cooperation/index_en.htm ) and tens of thousands of companies use standard model contracts (no registry available).
• Don’t think you’re off the hook if you don’t use Safe Harbor for international transfers of personal data. DPAs will feel encouraged to also evaluate model contracts and transfers to countries with recognized adequate protection – which are also based on EU Commission decisions.
• Strengthen your collaboration with data protection authorities in some countries, especially Germany, France, Spain, Italy, Poland as they will now (want to) have a greater say on international transfers.
• The ECJ ruling will have a financial impact in various ways. IT providers will feel (even more) inclined to host processing of personal data in Europe, requiring additional data center capacity. EU companies will favor data storage in Europe, potentially (having to) paying a higher price. Both parties will pay additional legal fees for new contracts, agreements and advice. EU data protection authorities need additional staff to review complaints of EU citizens.
• It has been clear for years that Safe Harbor is a weak mechanism. Those relying on it knew they took a risk.
• The political implications (long negotiations) are incompatible with the need for IT and business decision makers to take action (short term).
• Businesses are more concerned about fragmented compliance in Europe, less about having to stop transfers to the US.
• Start or continue using standard contractual clauses, although even these might come under scrutiny.
• Differentiate by use case. Large volumes of consumer records need to be addressed first.
• Move personal data processing to the EU only if there is a clear business case, including actual (not just potential) fines or lost revenue due to lost customers.
• Focus compliance on big EU countries like Germany, France while waiting for new EU-wide agreements for transfers to the US, law enforcement collaboration or general data protection.