You’ve no doubt heard that on Tuesday the European Court of Justice declared the U.S.- EU Safe Harbor invalid. Under European law, the transfer of EU citizens’ personal data to a third country may only occur if the third country ensures adequate protection of that data. A European Commission decision in 2000 declared the United States’ laws and policies provided such adequate protection, through the vehicle of the U.S.- EU Safe Harbor Framework. Nearly 4,500 U.S. companies partake of the Safe Harbor protected status – at least until this week’s European Court of Justice’s ruling pulled the plug.
As a result of this ruling, each of the European Union’s 28 national data protection authorities (“DPAs”) now has the power to establish its own rules and regulations for data transfers. Although the U.S. and the European Commission are engaged in continuing negotiations for “Safe Harbor 2.0,” there is no certainty about when the new framework will be established, or even what the framework will be. In the meantime, the question looms – what will the national DPAs do?
The EU national DPAs have slowly gained more authority to investigate, intervene, and bring legal actions against companies that process personal data within their borders. The jurisdiction of each DPA was previously thought to be limited to where a company has an establishment engaged in data-related activities. However, recent decisions have expanded the definition of establishment to include small company offices that are not directly engaged in such activities. As a result, more national DPAs may have regulatory power in a given matter.
Following the loss of the Safe Harbor’s uniform rules, the biggest struggle for companies engaged in data transfers will likely be complying with different and potentially inconsistent positions taken by various DPAs. A major focus for companies will be determining which country is most likely to provide favorable rules and regulations for data transfers. There may even be a shift in where companies locate in the EU, especially for mid-sized businesses that don’t have the resources to ensure compliance in multiple countries.
Hopefully the Safe Harbor 2.0 negotiations between the United States and the European Commission will resolve this quandary. One reason negotiations have taken so long is a fundamental difference in how data privacy is viewed – as a fundamental right in the EU versus a matter of consumer protection in the U.S. Another is EU concerns over U.S. government surveillance practices, raising thorny issues that can only be resolved on a government-to-government basis.
The Commission would appear to have stronger negotiating power now that the United States can no longer fall back on the Safe Harbor Framework as a negotiating floor. But at the same time, the practical result of this ruling limits the European Commission’s power over data transfers. If the DPAs are no longer bound to adequacy determinations by the Commission, the question becomes what Commission determinations will bind the DPAs?
In the meantime, companies are wrestling with how best to minimize data transfer exposures post-Safe Harbor. Companies are turning to alternatives, such as binding corporate rules and standard contract clauses, to prevent suspension of their data transfers. But the same logic used to invalidate the Safe Harbor – namely, the power of the U.S. government to access data for national security purposes – may also make such alternatives vulnerable. Ideally, the DPAs will hold off on data transfer suspensions until Safe Harbor 2.0 negotiations are finalized. Realistically, the results will depend on the respective DPAs – some may wait, while others may move on this chance to exercise their greater authority.