Today, in a landmark ruling, Europe’s highest court has invalidated the Safe Harbor data transfer agreement that enables data to transfer from Europe to the U.S. The U.S.-EU Safe Harbor Framework provides a method for U.S. companies to transfer personal data outside the European Union in a way that’s consistent with the EU Data Protection Directive.
Thousands of companies and organizations have relied on the U.S.-EU Safe Harbor Framework, dating back to 2000, to operate their business and transfer data cross-Atlantic. This ruling makes that very transfer unlawful.
The EU has different privacy regulations than the United States in regards to the processing, sharing and storage of data coming from the European Union.
To bridge that gap, the United States Department of Commerce and the European Commission set forth safe harbor principles to govern the processing of data transferred to United States companies from the European Economic Area. These principles have enable US companies to satisfy the EU requirement, set forth in the EU Data Protection Directive, that personal data transferred from the EEA to the United States, must be adequately protected. The US-EU Safe Harbor framework has been a significant cross-border data transfer mechanism enabling certified organizations to transfer personal data from the EU to the US in compliance with European data protection laws. In an EC Press Conference today, First Vice-President Frans Timmermans said “Today’s judgment by the Court is an important step towards upholding Europeans’ fundamental rights to data protection.” European Commission Statement – EU US Safe Harbor Invalidated-15-5782_EN
Today’s landmark ruling will mark major changes for the technology sector. This decision will particularly affect United States data processing companies. Many European companies transfer their data to the United States for data processing, such as analytical processing, data science processing, scrubbing, marketing, advertising, compilation, accretion and storage.
In November of 2013 the European Commission proposed 13 recommendations for improving the functioning of the Safe Harbor scheme. European Commission Proposed Changes to Safe Harbor Framework-13-1059_EN Negotiations are still ongoing.
In the interim, companies will need to consult their privacy and data security counsel to decide what other legal avenues, available under EU data protection laws, are best used for continuing the international transfer of personal data. There are a few alternatives, most of which will require implementation heightened security measures by U.S. companies.
This judgment opens U.S. internet and technology businesses with users in the European Union, to privacy disputes if they are processing european data on U.S. soil. I suspect a trend toward U.S. companies immediately adopting strong encryption, as the European Court has not provided for a transitionary period, thereby leaving U.S. companies greatly exposed to costly challenges. In the alternative, companies will need to make costly changes to their procedural operations, including how and where they store and process data. Some companies may look to data centers on European soil.
U.S. data vendors will be greatly affected by this ruling.
Although the U.S. authorities and the EC are working toward a new Safe Harbor Framework, the revised Safe Harbor will likely impose significant changes to U.S. law and costly procedural implementation for U.S. companies. The European Commission is looking to close, rather than bridge, the gap between U.S. and E.U. data laws.
Tiffany A. Kahnen is the Founding Corporate Attorney at Four Corners General Counsel. FCGC provides corporate legal counsel at a Fixed Value Price, flat fee. We work closely with each client to develop legal solutions custom tailored to fit their unique needs, at a predictable rate they can budget for. We handle all aspects of corporate law, including contractual transactions, risk management & dispute resolution.