Companies Advised To Review Data Transfer Agreements After European Court's Safe Harbor Ruling
The European Court of Justice’s ruling on safe harbor leaves no room for interpretation, K&L Gates attorneys said during a webinar Friday. Attorneys from the firm’s offices in Washington, Brussels and France advised companies to review contracts and develop interim agreements to allow data transfers to continue following the ruling (see 1510060001">1510060001). While the European Commission, like the U.S., wants to agree to another safe harbor agreement sooner rather than later, staunch privacy advocates, like the German government, and those opposed to controversial trade deals, appear interested in blocking a new agreement, K&L Gates lawyers said.
Sign up for a free preview to unlock the rest of this article
Communications Daily is required reading for senior executives at top telecom corporations, law firms, lobbying organizations, associations and government agencies (including the FCC). Join them today!
Safe harbor was declared invalid because data transfers were allowed only if a country was able to ensure an adequate level of protection for that data, said K&L Gates Brussels-based attorney Ignasi Guardans, former member of the European Parliament. The European Commission had acknowledged data could be accessed for national security, public interest or law enforcement reasons, but the U.S. government accessed personal information without limitation, Guardans said. EU citizens also had no administrative or judicial means of redress or to access and correct data, which was of concern to the court, so the agreement was ruled invalid.
Safe harbor was never a solution for U.S. companies, but for European companies, said K&L Gates Paris-based attorney Etienne Drouard, a former public officer at CNIL, a French Data Protection Authority. But the perception is that the problem with the agreement was not the EU’s fault, but the U.S.', Guardans said. Personal data is broadly defined in the EU, Drouard said.
Those affected by the ruling include U.S. companies with personnel, subsidiaries, affiliates, holding/mother companies in the EU, and those with servers in Europe or commercial partners in Europe; European companies with personnel, subsidiaries, affiliates, holding/mother companies in the U.S. or servers in the U.S., and those with commercial partners in the U.S.; and U.S. companies operating service entirely from the U.S. and/or a non-EU country that directly targets customers in Europe, Drouard said.
U.S. companies that are safe harbor-certified are affected, as are non-safe harbor U.S. companies that are not bound by groupwide Binding Corporate Rules (BCR), those that have executed EU-compliant data transfer agreements with an EU mother company, sister companies, affiliates, contractors, subcontractors, those that receive or access personal data from the EU without a data subject’s consent, and EU companies that share data with a U.S. mother company, sister company, affiliate, have a BCR agreement or don’t obtain subjects’ consent, he said.
It’s unrealistic to think that EU companies will “suddenly pull the plug and stop transferring data to the U.S.” and that national data protection authorities will investigate or sanction companies for continuing to transfer personal data to the U.S., wrote International Association of Privacy Professionals’ Managing Director Europe Paul Jordan in an email Friday. But “there is now a high expectation for companies to reassess their data flows and, where needed, to implement new measures for transferring data outside the EU,” Jordan said. Companies should perform a data transfer audit and review IT, commercial and outsourcing contracts and look for references to safe harbor and data transfer agreements, Drouard said.
A popular solution is to execute EU-compliant data transfer agreements, which require a description of data, purposes for transferring and using the data, and security measures to protect the data, Drouard said. Companies must notify an existing data protection authority (DPA) before transferring data under such new agreements, he said. Another option is to implement groupwide BCR, which must also be approved by a DPA, Drouard said.
Obtaining consent from data subjects is also an option, but it’s not a good or sustainable one, Drouard said. Germany is likely pushing for U.S. companies to obtain consent from data subjects because it’s a “privacy pusher,” Drouard said. The EC commissioner from Germany, who's close to the German government, said Friday that he doesn’t think the U.S. will accept EU requests in a new safe harbor agreement, Guardans said. Guardans noted a change in tone and views of the agreement as absence of safe harbor nulls some controversial trade agreements like the Transatlantic Trade and Investment Partnership (TTIP).
Those in favor of TTIP are pushing for a new safe harbor agreement, while those who don’t like the trade agreement are now trying to block safe harbor, Guardans said. For the past two years the U.S. and EU had been negotiating a new safe harbor agreement following the former government consultant Edward Snowden NSA revelations, and the new agreement was in its final stages, said K&L Gates Regulatory Policy practice area leader Bruce Heiman.
The court looked in the “rearview mirror” when making its decision and didn’t consider reforms in the U.S. like disbanding the Prism program, passage of USA Freedom, and current attempts to pass the Judicial Redress Act, Heiman said. The Judicial Redress Act is pending in the Senate as an amendment to a cybersecurity information sharing bill, Heiman said. The bill has its own problems, but there may be a renewed push to pass the bill in light of the ECJ’s decision, Heiman said. The U.S. is interested in getting this resolved quickly, Heiman said.