Safe No More: What to Do in the Wake of the EU Safe Harbor Ruling
For the last 15 years, we have advised companies doing business in the United States and the European Union about the importance of the U.S.-EU Safe Harbor—the framework designed to ensure that U.S. companies are providing “adequate” privacy protection under the EU’s Data Protection Directive (Directive 95/46/EC). But the game has now changed. On Tuesday, the EU’s highest court suspended the agreement between the EU and the U.S., sending many businesses that had relied on the Safe Harbor’s self-certification approach scrambling for a new way to avoid interruptions in their transatlantic business dealings and/or avoid prosecution by EU member state authorities enforcing EU member state privacy laws that are more stringent than U.S. laws.
The court’s decision was driven in part due to fears of mass surveillance by the U.S. government and made the protections of the Safe Harbor immediately invalid—there is no grace period. This means that EU member state authorities are technically free to bring suit immediately against any company whose privacy protection policies they deem to be inadequate. Not surprisingly, most U.S. companies operating abroad cannot afford to shutter their European operations while they wait to see the fallout from this week’s ruling. So what are their options?
Some companies may already be protected by intragroup agreements—often known as Binding Corporate Rules—under which a U.S. entity contractually agreed to protect its EU affiliates’ employee, client or customer personal data as if the data remained in the EU. But these companies should take this opportunity to confirm that their processes, policies, systems and procedures conform with EU law and with their contractual obligations to EU affiliates, as those agreements and the manner in which they are implemented are likely to come under scrutiny. Companies who do not already have Binding Corporate Rules in place could consider this approach, but should be aware at the outset that this is a complicated, time-consuming and expensive compliance option that is not suitable for many companies.
Other companies should revisit their consent protocols. Data transfer between entities in the EU and U.S. is still possible as long as the individual data subjects have given their consent to such transfer or where EU Commission-approved Standard Contractual Clauses are used. Companies that do not have these mechanisms in place should consider whether they are viable. And companies that do have these systems in place should revisit them to ensure compliance, as they are likely to come under scrutiny in the wake of the ruling.
Finally, there is at least some hope for a “new” Safe Harbor, but that will involve considerable negotiation among EU and U.S. authorities, so companies should not sit back and wait. Exactly what the future holds remains to be seen, but companies involved in the transfer of data between the U.S. and the EU should act proactively, with the assistance of the firm’s team of data privacy counsel, to avoid potential regulatory action in the EU. Companies should not and cannot wait for the new EU rules (which are in process and have been some time in coming), as these rules are likely to be more prescriptive than the original Directive in any case, especially in light of the new court ruling.