As the sun sets on the U.S.-EU Safe Harbor, what does the future hold? At the moment, that crystal ball is best viewed directly from the EU. So, I asked Marc Dautlich and Lucy Jenkinson of EU law firm Pinsent Masons‘ Information Law team for their perspective. Here’s what they shared:
The tone of news reports has varied on whether the European Court of Justice’s ruling is a catastrophe or simply an inconvenience for companies that relied on the Safe Harbor Framework. How bad is this decision for those companies, and what will be the immediate impact on them?
We think it is unlikely to be a catastrophe, but it will be more than just an inconvenience. Safe Harbor is dead. It can no longer be relied upon to ensure adequacy. However, there is also potential for other adequacy mechanisms to come under the same legal scrutiny.
European regulators recognize they need to provide guidance quickly. They are also aware of the importance of transatlantic data flows to the European economy.
As well as regulatory action, European organizations also face other risks. Affected individuals, if minded to do so, have the right to claim in the courts for compensation if they have suffered as a result of a breach of data protection laws. Also, organizations that are in the supply chain may now be in breach of any contractual obligations contained in their agreements with one another to comply with relevant data protection laws.
Having identified contracts and arrangements under which they receive personal data from Europe in relation to which they relied on Safe Harbor, U.S. businesses need to:
- Anticipate that they are likely to be asked by their European customers and partners, if they have not already been, what alternative mechanisms they will be putting in place to provide “adequacy” and what their timescales will be for putting those in place; and
- Seek advice on what they can offer as alternatives. One likely alternative mechanism will be to put in place contracts containing EU-approved model clauses. Consent is, in many cases where a more than minimal or ad hoc transfer is involved, unlikely to be appropriate for a variety of reasons.
U.S. organizations may find their European partners will be taking varying approaches depending on where they are based and what their local regulators are saying (see further below). In the medium term, regionalized data centres based within the EU are likely to become more popular.
Will some types of businesses be more affected than others?
We don’t think so. The decision does not specifically impact types of data processed and types of organizations.
Plainly, smaller businesses may have fewer resources in place to implement a solution – from identifying the most appropriate transfer mechanism (e.g. an EU-approved model contract), through to managing the documentation (if, for example, the EU model contract mechanism is used).
What long-term implications do you anticipate? For example, will Europe become an even more robust data server hub?
The issue is not unique to Safe Harbor. The court has made clear that only it can invalidate Commission adequacy decisions and that domestic EU courts cannot do so, nor can the data protection authorities. However, other currently recognized mechanisms for adequacy, such as EU Model clauses, are challengeable based on similar grounds to those in the Safe Harbor judgment, and the court has made clear that national data protection authorities, as independent bodies, must scrutinize complaints if they believe there may be a case to answer. If they are not satisfied there is adequate protection in place, they will have the power to suspend transfers in particular cases. The legal uncertainty ahead is likely to mean that regional data centres within Europe may become more popular.
The U.S. and the European Commission have been in negotiations to strengthen the Safe Harbor – what are your thoughts on how the Court’s ruling will affect those negotiations?
The U.S. government has expressed its disappointment in the ruling, and Penny Pritzker, the U.S. secretary of commerce, has said the ruling “necessitates release of the updated safe harbor framework as soon as possible.” The decision will undoubtedly move the negotiations up the international agenda. However, the underlying issue is that the European Court of Justice has held that mass, indiscriminate surveillance by the U.S. authorities infringes the privacy rights of EU individuals. The court has taken it as read, based on the evidence of the Irish court and the Snowden revelations, that U.S. laws do not adequately protect EU citizens. The enactment of the Judicial Redress Act would be one legislative initiative that would alleviate matters from a European perspective, by providing EU citizens with rights of redress similar to those of U.S. citizens. The negotiations for a revised Safe Harbor may also give the U.S. a better forum than the European Court of Justice to put its case in relation to surveillance matters.
Domestic data protection authorities now appear to have all the power over data transfers. What do you think will be their response, and how might these responses differ between countries?
The risk is that the different national data protection regulators will take differing approaches. We hope this will be avoided by the collective body that comprises representatives from each of the 28 member states’ data protection authorities—the Article 29 Working Party—finding a consensus across all the authorities, and promulgating guidance on behalf of all of them. At present, the U.K. regulator seems to be looking at the issue more pragmatically than some of the German regulators. There is both a federal regulator in Germany and one for each state within Germany. The Article 29 Working Party met as a matter of urgency last week to begin to discuss a coordinated analysis of the decision and together determine the consequences on transfers. A further meeting is due to be scheduled shortly.
The Court of Justice ruling certainly changes the playing field – who appear to be winners and losers?
European organizations that are not subject to the U.S. laws, such as with no U.S. parent, and that can offer hosting of data within the European Economic Area, would seem to be the winners. Large U.S. tech companies now have another EU Court of Justice ruling—in addition to, in particular, the Costeja or “Google Spain” judgment of 2014—which adversely impacts their business models. Finally, it is doubtful whether a balkanized Internet is in anyone’s interests.
What are the next steps companies should consider if they were relying on Safe Harbor status to transfer data?
They need to identify contracts and arrangements under which their organizations receive personal data from Europe, and which of those rely upon Safe Harbor. They should then start to implement alternative mechanisms they can offer to assist EU organizations to achieve compliance, such as putting in place EU Model Clauses, and presenting a case that they provide adequate protections, such as encryption. They should also consider whether reliance on other derogations will be appropriate—for instance, where individuals’ consent can be relied upon, or where the transfer is necessary for the performance of a contract with the individual. Last but not least, large groups of companies may wish to consider putting in place Binding Corporate Rules, though they should be aware that the implementation of these would be a major project that typically takes well over a year to obtain regulatory approvals. Meanwhile, organizations should also keep an eye out for revised guidance from the EU regulators.