The Court of Justice of the European Union (CJEU) has struck down the 15-year old Safe Harbor agreement that allowed the free flow of information between the US and EU. The significant repercussion of this ruling is that the more than 4,000 American companies that operate under this agreement may not be allowed to send user data from Europe back to the United States. Another significant and costly issue US companies now face as a result of this ruling, is the need to completely revise their protocols for compliance reviews, audits, and internal investigations.
The case that brought the issue before the EU’s highest court was partly set in motion by the revelations of Edward J. Snowden - the former National Security Agency (NSA) contractor who infamously revealed details of the U.S. government’s “Prism” program, which supposedly gave the agency access to data collected by several giant U.S. tech companies, including Google and Facebook. The case was originally sent to the CJEU by the High Court of Ireland, after the Irish data protection authority rejected a complaint from Maximillian Schrems, an Austrian citizen. In his case, Mr. Schrems argued that in light of Snowden's revelations about the NSA, the data he provided to Facebook that was transferred from the company's Irish subsidiary to the US under the Safe Harbor scheme was not, in fact, safely harbored. Advocate General Yves Bot of the CJEU agreed with Schrems that the EU-US Safe Harbor system did not meet the requirements of the Data Protection Directive, because of NSA access to EU personal data.
What does this ruling mean for US companies doing business in the EU? Because the CJEU was ruling on an issue in Ireland, the Irish court is expected to make its own judgement shortly. It is anticipated that that Irish court will side with the CJEU and furthermore, courts in each of the EU member states are likely to follow suit. Facebook and many other US companies will need to keep European data within the EU as it is unlikely that the US government will be able to quickly negotiate another Safe Harbor agreement that would satisfy the EU’s stringent privacy requirements.
Now is the time for companies to closely evaluate their business operations to comply with the CJEU ruling. Data and Privacy officers need to address the need for the complete revision of their protocols for compliance reviews, audits, and internal investigations for data protection and privacy. Companies may need to consider the relocation of servers from U.S. soil to the EU in order to comply with what may turn out to be a multitude of data protection laws that vary from country to country. However, there is another option to consider. The European Commission has the power to decide on certain standard contractual clauses that offer sufficient safeguards with respect to the protection of the privacy and fundamental rights and freedoms of individuals. US companies should consult with counsel to determine if such clauses are present in their current agreements.