The impact of the judgment of the Court of Justice of the European Union (CJEU) regarding the US Safe Harbor scheme has been the subject of a huge amount of interest from businesses, regulators, lawyers and citizens alike. The formal Decision of the European Commission recognised that Safe Harbor assured businesses that, if they transferred personal data to the US, they would satisfy the legal requirement for personal data transferred outside the EU to be adequately protected. This assurance has now been removed, however, the judgment did not strike down Safe Harbor itself, but focussed on the Commission Decision that had given the assurance to businesses. This means that there is still a measure of protection for personal data transferred under the scheme, however, the assurance that meant Safe Harbor was automatically considered to provide the adequate protection required under the Eighth Data protection Principle no longer exists.
The existing Commission Decisions on the adequacy of particular countries and on standard contractual clauses do still stand, and can be relied on by businesses (certainly for the time being), but the terms of the judgment inevitably cast some doubt on the future of these other mechanisms, given that data transferred under them is also liable to be accessed by intelligence services whether in the US or elsewhere.
Political, legal and technical solutions are required and they rely on both member states (including the UK) and the EU institutions opening discussions with the US authorities. The UK Government is aware of the issue and, last week, Baroness Neville-Rolfe hosted a industry round table which mainly focussed on: "Where does this leave businesses that are using the Safe Harbor"’. The outcome focussed on three main points; "Don't Panic", "Take stock" and "Make up your own mind".
The ruling is already having a large impact on corporations' investment focus and financial performance, for example, many companies are looking to rent additional server space in European Member States and move European data to these new machines. The employment of "data localisation" comes at a high cost for businesses as it requires new infrastructure expenses. However, as an alternative, cloud based services on servers based in Europe are likely to see an influx in new business due to companies wishing avoid these high costs but still employ data localisation. On the other hand, US cloud service providers have been put into a difficult position as many of them depend on the Safe Harbor framework (or closely related approaches) to do business in Europe as it acts as the mechanism authorising them to store data on behalf of European companies.
Currently, there are growing discussions over concerns of the free flow of data on the internet, but European regulators are arguing that their goal is not to stop data transfers, but to make sure that Europeans’ privacy rights are respected wherever their data is stored. The coming months will be critical and, hopefully, a strong and effective framework for protecting individuals when their personal data are transferred from the EU to the US will be put in place.