A gaggle of articles and blog posts in the past 24 hours have the cyber-sky falling and falling fast. They imply that all data in the U.S. under the Safe Harbor program is at immediate risk, or that all transfers of personal information from European Union countries will immediately grind to a halt. Neither is the case at the moment, but organizations registered in the U.S.-E.U. Safe Harbor Program should embark on contingency plans.
The Court of Justice of the European Union, in a case brought by Austrian student and Facebook user Max Schrems, EU-Schrems-Judgement-CJEU on the ground that, well, facts “on the ground” had changed since the program began in 2000. Those “facts” were the disclosures by Edward Snowden of massive N.S.A. surveillance of data in the U.S., thereby changing the basis of the previous European Commission finding that Safe Harbor offered an adequate level of privacy protection for E.U. citizens whose data had been sent to the U.S. under the auspices of the program.
The e-commerce sky is not falling. The Court remanded the case to the High Court of Ireland, which had certified the question of local Data Protection Authority (DPA) jurisdiction to conduct its own protection adequacy investigation and make its own findings. It leaves the question of suspension of transfers under Safe Harbor to individual DPA’s. While some DPA’s may not act for some time, others may act within weeks, some longer, and others not at all. Further, the decision is phrased prospectively, in that it does not speak to data that is already in the United States pursuant to Safe Harbor. There is no mandate to do anything with data already in the U.S. under the program.
Clearly, though, multinational organizations should begin consideration of options and alternatives, While the E.U. data protection authorities may not have the resources to analyze these issues right away, when they do so they may order suspension of transfers on an immediate basis. This would have the effect of halting data flows to your organization. First, consider the EU countries from which the organization would obtain personal data and evaluate how quickly their DPAs are likely to move on this. If the local DPA suspends Safe Harbor transfers, another instrument for data transfer will be required quickly so data transfers may continue. Personal data may be transferred to the U.S. with a Data Transfer Agreement using Model Contract Clauses. These clauses have been approved by all Member States, and do not require approval by DPAs. Another approved method for data transfer is a set of Binding Corporate Rules, a “code of conduct” that defines global policy with regard to internal transfers between entities of multinational organizations. Binding Corporate Rules can function as a global data protection code of conduct, but in the E.U. they require approval by the pertinent DPA.
Please contact Kenneth N. Rashbaum if you have questions regarding data transfer instruments and processes in the wake of this decision.