A major storm hit the world of European data privacy and cross-border data movement last week. On October 6th the European Court of Justice invalidated the US-Europe Safe Harbor agreement, a framework long relied on by US and European companies to legally move personal data across the Atlantic. Companies, governments and lawyers are scrambling to understand the full impact of this major decision. The topic certainly ignited a firestorm of conversation last week at our AccessData International Advisory Board meeting in London. This week, the European court’s new president defended the action to uphold Europeans’ fundamental right of privacy, despite the disruption to US-EU digital commerce.
Storm Trigger. Things started brewing when Max Schrems, an Austrian privacy advocate, asked the Irish Data Protection Commission to stop Facebook’s Irish subsidiary from transferring European user data to its U.S. servers. Schrems claimed European personal data is at risk for peering at by the US government, based on the surveillance practices Edward Snowden revealed. After the Irish authorities rejected the complaint based on safe harbor, the case ended up in the European Court of Justice. The high pan-European court struck down the safe harbor agreement, essentially saying times have changed and we want to be sure EU citizen data is protected in a post-Snowden era.
What happens now?
The forecast is murky. Yet it’s important to realize this ruling doesn’t immediately stop data flows between the US and Europe. The ruling says that country data protection authorities (DPAs) must investigate and determine if their citizens’ data is adequately protected under EU laws. If they don’t like what they see, they can suspend data flows, requiring US companies to keep the data in-country. Does this mean they wait for complaints to investigate? Or will they proactively investigate certain or all companies? Are all companies operating under the safe harbor program automatically out of compliance? Practically speaking, over the coming months, American companies will spend a lot of time and money to try to figure out the new environment. A boon for privacy lawyers, no doubt.
What businesses and processes are impacted?
There are about 4,500 US companies in the safe harbor program, including some of the largest companies in the world and start-ups. Here’s a short list of areas that will need attention and some of the emerging strategies to cope.
- Internet & Cloud Companies. The Safe Harbor was a critical for internet companies like Facebook, Google and Amazon Web Services. The movement of massive amounts of personal information across their global servers is core to their business model. Amazon announced it has data protection Model Contract Clauses, a European-approved way to meet data protection requirements. Alphabet’s Google can keep more EU data in Europe as it expands its Belgium data center and adds one in the Netherlands in 2016.
- eDiscovery. US lawyers and their global clients relied on the Safe Harbor to get ahold of relevant European employee data during legal matters. Companies would collect data from employees in Germany and Ireland, for example, and send it to their New York lawyer’s offices for processing and legal analysis. If the DPAs suspend data transfers, companies can try to get consent from individuals to move their data. Though this can be fraught with delays and accusations of employees being “forced” to consent. The model contract clause could also cover eDiscovery transfers. Alternatively, US lawyers could travel to the country where the data is located rather than move it to their offices or service providers. Travel costs and time away from the office make this an unappealing path.
- Human Resources. US human resource departments will be impacted in terms of their ability to pull European employee data over to their US servers for management, reporting and investigations. HR has some of the most personal information of all departments including addresses, phone numbers, medical information, etc.
- Marketing & Advertising. Agencies and companies that gather data every millisecond to serve up relevant ads and marketing content need to scrutinize their flow of European personal data.
The next few weeks will reveal a lot. We will be listening – watch for a blog series on the safe harbor storm.