Most of you already have Twitter feeds, Facebook pages, and—the aged among you—in-boxes overflowing with news about this morning’s decision from the European Court of Justice (“ECJ”). Some of you read each message, anxiously searching for some new insight. For many others, all this talk about the “Schrems safe harbor controversy” sounds like it’s got more to do with shipping Austrian beer than data privacy.
So the goal of this alert is to cut through the media saturation to call out the key highlights and some tools for taking things from there. To do this, we’re going to simplify and truncate and dispense with the dense and often confusing vocabulary of the EU data protection laws.
It all starts with the law. Under EU law in effect since about the year 2000, data collected from an EU-based data subject cannot be transferred out of the EU member nation from which it was obtained unless one of the four following methods of compliance is in place:
- Binding Corporate Rules, or “BCR,” approval has been obtained from sponsoring EU Data Protection Authorities.
- EU/Swiss Safe Harbor Self-Certification has been obtained from the US Department of Commerce.
- So-called model clauses contracts are in place between the collecting entity and the destination entity (and all relevant entities in the chain).
- Consent is obtained directly from every data subject (with a caveat about HR data that’s beyond the scope of this alert).
On September 23, 2015, an adviser to the ECJ issued a nonbinding opinion saying that compliance method number 2, the “Safe Harbor,” was invalid. On October 6, 2015, the full ECJ issued a binding decision agreeing with him. And things are now clear as mud.
A lot of people and companies. US-EU trade represents over half of global GDP and about one-third of global trade. Specifically, about 4,500 US companies are relying on the Safe Harbor to do business in Europe and send data back to the United States. Every one of them is affected in some manner. In addition, many companies, for whatever reason, don’t take the step of actually self-certifying but rely on the Safe Harbor principles to do the right thing, figuring they’ll save a few bucks and just say sorry if they get caught without the self-cert. It is hard to calculate what that number is—though most data security practitioners would agree it’s at least twice the number of those actually certified. Another 75 or so companies have invested many months and significant sums in obtaining BCR approval. They too could now have their compliance questioned, as could the countless companies that rely on the model clauses approach. More on these latter points below.
How are they affected?
With the decision still less than 12 hours old as we publish this alert, the only thing everyone agrees on is that no one really knows.
Due to the particular procedural circumstances under which the case came to the ECJ in the first place, combined with some of the specific wording of the ECJ opinion, it’s not entirely clear what all this means. For one thing, the language of the ECJ decision (particularly paragraphs 87 and 88) could mean that compliance methods 1 (BCR) and 3 (model clauses) are also invalid because the ECJ’s criticism of the Safe Harbor applies equally to them.
On the other hand, the official press release from the ECJ about the decision, echoing language in one of two key paragraphs of the ruling itself, seemed to indicate that the ruling’s only consequence was that the Safe Harbor was no longer a shield protecting companies from scrutiny by DPAs (the governmental privacy enforcers in each EU member nation), but until such DPAs conduct their own investigation, nothing changes.
If we’re affected, what should our company be doing?
We believe that, for now, what you do next depends on a number of factors, the most significant of which are what business you’re in, what kinds of data you collect, and what you do with it. The continuum of risk goes something like this:
If you’re a manufacturer that simply ships your own HR data back home to the US for loading in an ERP system you control and processing by personnel you employ, the most prudent thing to do is probably wait a few days to see how all this plays out. The EU Commission is expected to weigh in soon, and the US Department of Commerce and Federal Trade Commission are almost sure to have something to say.
On the other hand, if you’re a social media, e-commerce, or similar company collecting and using consumer data, and for which such data is either fungible currency or your revenue-producing widget, you should be very much invested in immediate contingency planning. Actually, you should have been planning for at least the last week; so if you haven’t, it’s probably time to call your lawyer.
Finally, if you’re a retailer, healthcare provider, financial services institution, hospitality company or any of the other myriad types of businesses that fall in between those two extremes, careful analysis of your European data transfer activity will be required.