Tuesday’s ruling that struck down the most common way to legally transfer data between Europe and the U.S. didn’t turn multinational companies into outlaws immediately, but they’d better start working on alternatives now.
That’s what lawyers steeped in the arcane law of international data handling said in the aftermath of the decision by the Court of Justice of the European Union.
The court said the Safe Harbor agreement that thousands of companies have relied on to move personal data across the Atlantic was invalid. In the light of revelations about U.S. National Security Agency snooping, the agreement used since 2000 isn’t enough to ensure Europeans’ privacy is protected if their data is stored in the U.S., the court said.
The law in this area may remain murky for months or years, but enterprises should already be looking at alternatives to Safe Harbor, the lawyers said on a conference call organized by the International Association of Privacy Professionals.
Companies that do business across the ocean and have been using the agreement in good faith will get at least a short grace period before data protection authorities start knocking on doors, said Brian Hengesbaugh, a partner at law firm Baker & McKenzie and a former member of the team that crafted the Safe Harbor agreement. Jumping on those enterprises would be considered a misuse of the enforcers’ legal authority, he said.
But for some, especially big U.S. companies and service providers, the questions could come soon. It’s likely they’ll start getting letters from data protection authorities in European countries where they store data, asking them to explain how they are legitimizing their data transfers, said Eduardo Ustaran of the London law firm Hogan Lovells.
Lawsuits by consumers or privacy activists, like the one by Austrian citizen Max Schrems that led to Tuesday’s ruling, are an even greater threat to companies that store European data in the U.S., said Christopher Kuner, senior privacy counsel at Wilson Sonsini Goodrich & Rosati in Brussels. The ruling will force data protection authorities to investigate all such claims, he said.
Enterprises already have some alternatives to Safe Harbor. The European Union’s Article 29 Working Party, a data protection body, has developed so-called Binding Corporate Rules for trans-Atlantic data transfers between organizations. The EU has also crafted “model clauses” to include in contracts with partners and customers. Companies can also write their own contracts or set up agreements with multiple parties, Ustaran said.
Using a new legal tool doesn’t have to mean starting from scratch. Parts of the Safe Harbor agreement can be recycled, and the EU’s Binding Corporate Rules are fairly similar, Ustaran said.
Microsoft said Tuesday it’s all set to continue data transfers and legally protect customers of its cloud services, including Azure Core Services and Office 365. It’s using the EU Model Clauses.
In addition, about 70 companies are using the Binding Corporate Rules. But for most of the approximately 4,000 organizations that have been relying on Safe Harbor, many of which are small and medium-sized businesses, there’s a lot of work ahead.
“Many companies will be in limbo,” Ustaran said.
They should start by deciding which kinds of data transfers are critical and address those first, looking at which alternatives would work for them.
Each country in the EU has its own data protection authority, and they’re likely to take different approaches, Kuner of Wilson Sonsini said. Some might decide Safe Harbor is still adequate. Should companies take a chance on that? “I wouldn’t advise it,” Kuner said.
He also warned that it’s easy to download standard contractual clauses, print them out and sign them, but you actually have to make sure you can comply with them and may need to have them approved by a country’s data protection authority.
However much Tuesday’s ruling may affect enterprises, the U.S. and EU haven’t tackled the greatest threat to data privacy, which is government surveillance, said Nuala O’Connor, president and CEO of the Center for Democracy & Technology. “I don’t think anybody’s privacy is any better today than it was yesterday,” she said.
The U.S. and EU have been working on a new Safe Harbor agreement since, but with issues like government spying to work out, it may take a while.
“I wouldn’t be holding my breath for Safe Harbor 2,” Ustaran said.