September 22, 2019

September 20, 2019

Subscribe to Latest Legal News and Analysis

Dangerous Waters in Safe Harbor: EU-U.S. Safe Harbor for Data Transfer is Safe No More

On October 6, 2015, the European Court of Justice (ECJ), abolished the 15 year old Safe Harbor agreement between the EU and the U.S. Over 5,000 businesses have relied on the Safe Harbor to receive personal data from EU member countries. While this creates a massive upset on how US companies do business, there are clear guidelines on actions to take in order to comply with the EU Data Protection Directive going forward.

The ECJ’s invalidation of the EU-U.S. Safe Harbor disrupts every business that transfers personal data collected from residents in the EU to the U.S. This decision impacts global data flows and raises jurisdiction issues over personal data for multinational companies that operate data centers in the EU, rely on cloud based storage by European subcontractors, and transfer data intra-company from EU subsidiaries.

Companies in the U.S. can no longer transfer EU data to U.S. servers without adequate protections. Such companies will not be able to store, process, or transfer data from EU citizens using the Safe Harbor Framework through an annual self-certification with the U.S. Department of Commerce. Instead, EU national regulatory authorities will now investigate data transfer to determine whether companies comply with EU law under an “adequate level of protection” standard.

After the end of January 2016, companies that violate the ruling will risk significant EU civil and criminal fines and face orders to halt data transfers. In some EU member states, officers and employees of a non-compliant company may face personal criminal liability for a failure to comply.

Companies will face huge costs to remove personal data from Europe or implement alternative processing in the EU in order to comply.  Three main methods for validating a transfer of data of an EU data subject include 1) obtaining personal consent to data transfers, 2) implementing binding corporate rules for intra-company transfer, and 3) using model contract clauses that incorporate the EU Directives principles. While personal consent is one option, there are many challenges to this approach to ensure validity.  A more cost effective solution is to enter into data transfer agreements based on EU approved Commission’s model contract clauses. These are essentially contracts that allow companies to transfer data out of the EU by going through different approval processes. Large internet and technology companies, global multinationals, and cloud providers that employ model contract clauses will ensure meeting the new EU data protection obligation in a cost-effective manner. 

Similarly, all companies that transfer data from Europe to the US need to take action to ensure compliance under the new regulatory system.  Such companies should consider the differences in model contract clauses between a data processor (a supplier that processes personal data) and a data controller (a customer that determines the purposes for the processing of data) in order to be in compliance. The distinction will consider the kind of personal data to be processed, the method and frequency of the transfer, and whether to utilize an electronic of automated means of processing.

All companies with European subsidiaries that transfer data to the US would benefit from a brief audit of their corporate rules to ensure compliance under the new regulatory system  in the event reliance was previously on the Safe Harbor exemption.  The EU Directive recognizes the implementing of binding corporate rules for intra-company transfer as another prong for proving compliance.

© 2019 Bracewell LLP

TRENDING LEGAL ANALYSIS


About this Author

Jeffrey B. Andrews, Bracewell Outsourcing matters Attorney, Technology Transactions lawyer,
Partner

Jeff Andrews’ broad transactional practice focuses on outsourcing, sourcing and technology transactions. He is best known for structuring and negotiating complex domestic and international information technology and business process outsourcing agreements. Jeff has assisted clients in outsourcing all major business functions and operations. He has negotiated opposite every major multinational and Indian outsourcing service provider. His clients span a wide range of industries, including energy, financial services, consumer products, retail, manufacturing, pharmaceuticals...

713.221.1439
Constance Rhebergen, Patent, Intellectual Property Attorney, Bracewell law firm
Partner

Constance Rhebergen is a registered patent attorney who counsels and represents business clients in the protection, maintenance, licensing and transfer of intellectual property assets and in providing patent infringement and validity opinions. Ms. Rhebergen leverages her experience in litigating patent, trademark and copyright infringement cases, Internet domain name cases, trade secrets, unfair competition, as well as counseling on the protection of intellectual property assets in acquisitions and financial restructuring.

Ms. Rhebergen advises businesses and government agencies in Latin America, Europe, MENA region, and elsewhere on intellectual property matters and litigates international intellectual property law disputes.

Ms. Rhebergen brings a rich blend of skills developed over years of practice in a range of technologies, including energy, chemical and process applications, mechanical arts, and computer software. Industries served include refining, chemical processing, petrochemicals, agriculture and food, computer software, oilwell drilling, synfuel, sports, education, telephone, wastewater, mechanical equipment, instrumentation and explosives.

713-221-3306
Brad Y. Chin, Bracewell, Trademark Prosecution Lawyer, IP, Patent Licensing Attorney
Partner

Brad is an intellectual property attorney in Bracewell & Giuliani’s Technology Section. His practice focuses on patent and trademark prosecution, client counseling, licensing, and technology transfer. Brad prosecutes patents in the chemical, electrical, and mechanical arts for U.S. and international (China, Japan, Korea, and Middle East) clients, particularly in the areas of oil and gas drilling equipment, chemical processing, telecommunications, automotive, robotics, consumer electronics, OLED and plasma displays, semiconductors, energy storage, renewable energy,...

713.221.1569