During the last 15 years if a U.S. corporation who employed European citizens or did any business in Europe that collected its customers’ personal data and stored such data on the U.S. based servers, that corporation had to comply with European data protection rules. In Europe right to privacy is a fundamental right and the law prohibits the transfer of such data to foreign countries that do not meet the EU adequacy standards. In U.S., data privacy is considered more like a consumer right and the rules of data management differ in each sector. Consequently, and in order to bridge differences in data privacy approach and provide a means for U.S. organizations to comply with European laws, the U.S. and European authorities reached a “Safe Harbor” compromise. The U.S. entities meeting a set of privacy rules are certified and entitled to make cross-border personal data transfer. However, there is a major change in those rules as of October 6, 2015.
The European Court of Justice (ECJ) declared such Safe Harbor data-transfer rules invalid. This landmark judgment from the top European Court leaves almost 5,000 U.S. Safe Harbor certified entities in the dark and could affect how major U.S. corporations and service providers involved in trans-Atlantic personal data flows operate overseas. Private causes of action of consumers and privacy advocates, and enforcement measures by national data protection authorities in Europe and the U.S. Federal Trade Commission will follow. Unfortunately, it is very strange to have a territorial restriction on data flow in today’s global worldwide economy.
What did the court say?
The ECJ examined the case of an Austrian citizen Mr. Max Schrems who claimed that Facebook wasn’t adequately protecting his data, and that U.S. government spied on people in other nations. Irish data protection authority refused to address his complaint based on the EU-US Safe Harbor standards. Thereafter, the ECJ heard Max Schrems’s claim and declared the EU Commission’s Safe Harbor Agreement completely invalid leaving room for 28 European countries to establish their own robust data protection safeguards in place before transferring European citizens’ data, hence, creating enormous barriers to U.S. firms doing business in Europe.
What does this mean for companies relying on the Safe Harbor?
The ECJ’s ruling directly affects the companies that rely on the Safe Harbor as a solution to transferring data from EU to the U.S. These companies who are now at risk of becoming the subject of investigations and possible enforcement actions, might be required to invest heavily in European data centers. In the meantime, international corporations and service providers are left with some alternatives to ensure data privacy compliance on data flows in order to avoid such risks.
What to do next?
As such, companies can adopt an alternative solution, which is accepted by the EU authorities for legally transferring data from EU to U.S. The following can be viewed as the main options to consider:
1) Binding corporate rules;
2) Model contract clauses; and
3) Intra-group agreements or policies.
If you believe the new ruling is putting your company at risk, please contact Eikon Law and our Los Angeles data privacy lawyers will be ready to discuss the matter with you in more detail in order to provide you with the right legal advice.