Privacy and Data Transfers after the Safe Harbor Implosion

Chris Walls

SVP, Business Operations

Simulmedia continually follows privacy developments across the globe to ensure our compliance with the applicable regulations and standards. Occasionally, we share significant developments with our followers. A recent ruling could affect our clients or partners data transfers from the European Union to the US and this post discusses the impact of those developments.

Earlier this month, the European Court of Justice dealt a death blow to the longstanding Safe Harbor Agreement between the U.S. Department of Commerce and the European Commission that enabled personal data housed in the European Union to be transferred to the U.S. The Safe Harbor Agreement permitted data to flow from the EU to U.S. companies that agree to be bound by, and comply with, the Safe Harbor Agreement.

The Court held that, regardless of the affirmations of Facebook to follow the Safe Harbor Agreement, once EU personal data is domiciled in the U.S., the U.S. Government, particularly the National Security Agency, can access it without regard to the Safe Harbor Agreement. Therefore, the Safe Harbor Agreement does not afford any real protection to data transferred from the EU to the U.S. While this decision has broad implications for data transfers, it further highlights the ever-changing landscape of privacy regulations in the U.S. and abroad. For example, the U.S. is currently contemplating a National Data Breach law and other privacy legislation, and the EU is revamping its omnibus data initiatives as well.

It is not time to panic just yet, as it does not appear that the EU will seek to enforce the courts ruling until at least until January 2016, allowing regulators to (hopefully) make some progress on Safe Harbor 2.0. It is also important to note that the current ruling refers the matter back to the High Court of Ireland for further action, which is likely to cause the Irish Office of the Data Protection Commission to actually investigate the claims made in the initial (Schrems) complaint against Facebook. The Irish Data Protection Commissioners refusal to investigate these claims formed the basis of the original complaint.This will take time and may further delay enforcement actions based on the current ruling.

Interestingly, this decision does not ban all data transfers from the EU to the U.S., and companies can still avail themselves of the Binding Corporate Rules and/or Model Contract provisions for data transfer to the U.S. While some (including at least one DPC) may argue that the reasoning employed by the Court in the Schrems case should apply to other methods for data transfer from the EU to the U.S., the Court was clear that such challenges must be explicitly made and ruled upon. This ruling is limited to invalidating the Safe Harbor Agreement.

One thing is certain, change is on the privacy horizon in both the U.S. and EU. The real questions that remain are how quickly such change will be brought about and how dramatic such change will be. 2016 will be a very interesting year for companies whose businesses rely on cross border EU/U.S. data transfer and the privacy professionals who help guide them.

Interested in getting the latest from Simulmedia?

News, insights, and events sent straight to your inbox!