E.U. order complicates multinational personal data sharing for thousands of firmsReprints
More than 4,000 U.S. multinational companies must seek an alternative legal framework for conveying their workers' personal data from European Union countries to the United States without risking regulatory scrutiny, as a result of an E.U. court order that invalidated the current safe harbor.
A ruling earlier this month by the Luxembourg-based Court of Justices held that a safe harbor to the transfer is now invalid.
Under the European Commission Directive on Data Protection that went into effect in October, 1998, the transfer of data to non-European Union countries that did not meet the E.U.'s adequacy standard for privacy protection was prohibited.
Although U.S. law does not meet that standard, in 2000 the U.S. Department of Commerce, in consultation with the European Commission, developed a U.S.-E.U. Safe Harbor program that protected firms that successfully applied to the program from E.U. regulatory scrutiny. That safe harbor was declared invalid by the Court of Justice in its ruling.
The case ruled upon by the E.U. court was filed by Maximilian Schrems, an Austrian citizen who has been a Facebook user since 2008. He lodged a complaint with the Irish supervisory authority, the Data Protection Commissioner, that claimed that, in light of the revelations made in 2013 by Edward Snowden concerning the United States intelligence service's activities, United States law did not offer sufficient protection against surveillance by the public authorities of the data transferred to that country.
The commission rejected the complaint, and the case then went to the High Court of Ireland, which passed the case onto the E.U. Court of Justice.
The E.U. Court of Justice held in its Oct. 6 ruling that personal data sent to countries outside the European Union must ensure “a level of protection of fundamental rights essentially equivalent to that guaranteed in the EU legal order,” and the safe harbor did not meet that standard.
More than 4,000 firms — and some attorneys estimate a total of 4,500 — are affected by the ruling. Companies that took advantage of the safe harbor “now need to examine the alternatives for a lawful basis for transferring personal data from the European Union to the United States,” said Philip L. Gordon, a shareholder at law firm Littler Mendelson P.C. in Denver.
Mr. Gordon said, “I don't anticipate that the data protection authorities are going to immediately start cracking down on companies that had relied on the safe harbor for purposes of cross border data transfers.
“The reality is this is a complicated process in figuring out an appropriate transition away from the safe harbor after the European Union's decision, and I think most data protection authorities are going to recognize that” and permit some period of time to develop an alternative, Mr. Gordon said.
“But there'll also come a point where data protector regulators may lose their patience and start questioning” companies that have not replaced the safe harbor, he said.
Mr. Gordon said one possible alternative is “standard contractual clauses” which are clauses embedded in a data transfer contract between the E.U.-based subsidiary and the U.S. parent company that use preapproved contract language.
Another option is that the U.S. and E.U. regulators have been negotiating more than two years on what some people call “safe harbor 2.0,” which would modify the safe harbor program so that E.U. regulators “are satisfied with the adequacy of the data security,” said Gary A. Kibel, a partner with Davis & Gilbert L.L.P. in New York. “There's certainly now a greater need for the negotiations to finish,” he said.
Meanwhile, “if you're relying solely on safe harbor, then you need to re-examine your cross border data transfer processes and discuss with counsel how to insure you're compliant with the law,” Mr. Kibel said. “Ignoring it is not a good idea.”