September 27, 2020

Volume X, Number 271

September 25, 2020

Subscribe to Latest Legal News and Analysis

September 24, 2020

Subscribe to Latest Legal News and Analysis

Safe No More: What to Do in the Wake of the EU Safe Harbor Ruling

For the last 15 years, we have advised companies doing business in the United States and the European Union about the importance of the U.S.-EU Safe Harbor—the framework designed to ensure that U.S. companies are providing “adequate” privacy protection under the EU’s Data Protection Directive (Directive 95/46/EC). But the game has now changed. On Tuesday, the EU’s highest court suspended the agreement between the EU and the U.S., sending many businesses that had relied on the Safe Harbor’s self-certification approach scrambling for a new way to avoid interruptions in their transatlantic business dealings and/or avoid prosecution by EU member state authorities enforcing EU member state privacy laws that are more stringent than U.S. laws.

The court’s decision was driven in part due to fears of mass surveillance by the U.S. government and made the protections of the Safe Harbor immediately invalid—there is no grace period. This means that EU member state authorities are technically free to bring suit immediately against any company whose privacy protection policies they deem to be inadequate. Not surprisingly, most U.S. companies operating abroad cannot afford to shutter their European operations while they wait to see the fallout from this week’s ruling. So what are their options?

Some companies may already be protected by intragroup agreements—often known as Binding Corporate Rules—under which a U.S. entity contractually agreed to protect its EU affiliates’ employee, client or customer personal data as if the data remained in the EU. But these companies should take this opportunity to confirm that their processes, policies, systems and procedures conform with EU law and with their contractual obligations to EU affiliates, as those agreements and the manner in which they are implemented are likely to come under scrutiny. Companies who do not already have Binding Corporate Rules in place could consider this approach, but should be aware at the outset that this is a complicated, time-consuming and expensive compliance option that is not suitable for many companies.

Other companies should revisit their consent protocols. Data transfer between entities in the EU and U.S. is still possible as long as the individual data subjects have given their consent to such transfer or where EU Commission-approved Standard Contractual Clauses are used. Companies that do not have these mechanisms in place should consider whether they are viable. And companies that do have these systems in place should revisit them to ensure compliance, as they are likely to come under scrutiny in the wake of the ruling.

Finally, there is at least some hope for a “new” Safe Harbor, but that will involve considerable negotiation among EU and U.S. authorities, so companies should not sit back and wait. Exactly what the future holds remains to be seen, but companies involved in the transfer of data between the U.S. and the EU should act proactively, with the assistance of the firm’s team of data privacy counsel, to avoid potential regulatory action in the EU. Companies should not and cannot wait for the new EU rules (which are in process and have been some time in coming), as these rules are likely to be more prescriptive than the original Directive in any case, especially in light of the new court ruling.

© 2020 Vedder PriceNational Law Review, Volume V, Number 286


About this Author

Blaine C. Kimrey, media defense Litigation, Vedder Price Law Firm Chicago Office

Blaine C. Kimrey is a Shareholder in the Litigation practice area in the firm’s Chicago office.

A former journalist at two daily newspapers (the Austin American-Statesman and the Arkansas Democrat-Gazette), Mr. Kimrey is a trial lawyer who has dedicated more than 20 years to working for and defending media entities. Mr. Kimrey’s practice, however, extends well beyond media defense, focusing on a broad range of direct and class action litigation involving topics as diverse as privacy, consumer deception, intellectual property,...

312-609 7865
Bryan Clark Media & Privacy Law  litigation Vedder Price Law Firm Chicago

Bryan Clark is an Associate at Vedder Price and a member of the Litigation group in the firm’s Chicago office.  He has an extensive media and privacy practice that includes privacy class action defense, mobile-marketing litigation, class action TCPA litigation, copyright litigation, right of publicity litigation, data breach response, FOIA issues, reporter’s privilege issues and prepublication review.

Mr. Clark’s other representative work includes drafting successful dispositive motions in right of publicity and invasion of privacy cases,...

312-609 7810