The European Court of Justice ruled October 8 to invalidate the 15-year-old “Safe Harbor” agreement, which had allowed untethered transatlantic data transfers. The agreement had been an exception to the EU Data Protection Directive, which prohibits businesses transferring personal data to countries with insufficient data protection measures. The European Union, long dubious about American data protection laws, had allowed companies working there to self-certify that they complied with European laws — and more than 4,000 enterprises have benefited from this agreement since 2000. Yet in the wake of the revelations about the NSA’s data collection practices, the court undertook the ruling, concluding that: “the law and practice of the United States do not offer sufficient protection against surveillance by the public authorities of the data transferred to that country.”
The ruling, which swept away the Safe Harbor provision, thus leaves thousands of companies reliant on this orthodoxy in purgatory. Pending more clarification from the European Union, any beneficiaries of the Safe Harbor apparatus will now have to fundamentally restructure the way they collect, store and transfer data, as the European Union has a much broader definition of personally identifiable information than the United States.
The formerly painless process of compliance with the European Union’s data protection regime has now become somewhat muddied and will need to be reevaluated. In the short term, companies should contemplate adopting binding corporate rules or model contract clauses to ensure that their data practices align with those of the European Union. Enterprising counsel might consider undertaking a full review of their data storage and transfer process, especially with regards to personally identifiable information, and determine whether it requires an overhaul. Concerned counsel should read “The Future of the Safe Harbor Agreement,” an interesting Docket article from September 2014. Mindful of the looming changes to Safe Harbor, it contains an in-depth discussion of alternatives to the agreement.
While the legal void will persist for a while longer, the European Commission is currently negotiating with the United States for a new data sharing agreement, with commission member Věra Jourová promising a “safer Safe Harbor.” However these negotiations will stretch on, and if no new deal is reached by January, companies still operating under the defunct safe harbor provisions will face enforcement action in the European Union. European data protection officials have thus sounded a dire warning to multinational companies, with the “Article 29 Working Party” consisting of officials from 28 EU member states saying the following in a recent press release:
“…[B]usinesses should reflect on the eventual risks they take when transferring data and should consider putting in place any legal and technical solutions in a timely manner to mitigate those risks and respect the EU data protection acquis.”
