Privacy activists are overjoyed, but for businesses it’s what one lobbyist described, only half jokingly, as “the doomsday scenario:”
The transatlantic transfer of European Union citizens’ personal data was thrown into a legal void Tuesday when the Court of Justice of the EU declared invalid the 15-year-old Safe Harbor agreement with the U.S. because it provided inadequate privacy protection.
The ruling exposes businesses reliant on Safe Harbor to the threat of legal action. The fact that European Commission and U.S. officials are in the middle of negotiating stronger privacy protections offers little comfort, as the ruling also opens that to challenges in national courts. Only a complete rewrite of the EU’s data protection regime, already in progress, might help—but it won’t take effect for up to two years after the final text is agreed, and that is still many months off.
The Safe Harbor agreement matters because it is the simplest of a number of legal instruments available to companies to prove that they comply with EU data protection laws, which require that personal data only be exported when it will benefit from the same level of privacy protection as it does within the EU.
Companies do have other legal options, including the use “binding corporate rules,” which can be time-consuming and expensive to implement, and model contract clauses ratified by the European Commission, which may not always be suitable in individual cases. Safe Harbor, on the other hand, provides for a simple self-certification and registration process, which over 4,000 companies have already undertaken.
However, the protection afforded under that agreement is flawed, the CJEU ruled Tuesday, saying that it is only binding on the companies involved, and not on U.S. law enforcement and national security agencies. Data is thus vulnerable to legally sanctioned spying, the CJEU concluded.
“The ruling creates uncertainty for the European and international companies that rely on Safe Harbor for their commercial data transfers, most of which are small and medium-sized enterprises,” warned Christian Borggreen, European director for the Computing and Communications Industry Association, an industry lobby group with Amazon.com, Facebook, Google, and Microsoft among its members.
Lawyer Mary Hildebrand said her clients have been grappling with the uncertainty around Safe Harbor and the rewrite of the EU’s data protection rules for some time.
“Uncertainty is the enemy of business, because people have to close transactions. It’s good to know what the rules of the road are,” said Hildebrand, of law firm Lowenstein Sandler, ahead of the CJEU ruling.
Another lobby group, Digital Europe, warned that the ruling would cause immediate harm to consumers, employees and employers.
“We urgently call on the European Commission and the U.S. government to conclude their long-running negotiations to provide a new Safe Harbour agreement as soon as possible,” said its president, Peter Olson. Facebook isn’t a member of his organization but Apple, IBM and SAP are.
While a new Safe Harbor agreement might provide stronger protections for personal data, it won’t end the legal uncertainty.
That’s because another aspect of the CJEU’s ruling affirmed the right of national data protection authorities to investigate the protections afforded by such agreements and even to challenge them in the courts—although it reserved to itself the right to invalidate agreements made by the Commission, as it did Tuesday with the first Safe Harbor agreement.
Before the CJEU’s ruling, businesses registered under Safe Harbor could apply the same rules to their operations across the E.U., but by returning power to the national DPAs, warned Hildebrand, “We could lose that uniformity. We could have DPAs in different countries taking their own positions and conducting their own investigations. It could be country by country or, God forbid, case by case.”
One way to clear up that uncertainty is to rewrite the laws.
In fact, EU lawmakers have been working since 2012 to rewrite the EU’s personal data protection regime, which stems from a 1998 directive.
Work on the new general data protection regulation, though, is still several months from completion—and even then won’t take effect for another two years or so.
The European Commission is due to outline its plans for dealing with the aftermath of the CJEU’s ruling later Tuesday.