With Safe Harbor gone, the hard work on data transfers starts now

Lawsuits and enforcement actions could come soon, so companies should get ready, data privacy lawyers say

Tuesday's ruling that struck down the most common way to legally transfer data between Europe and the U.S. didn't turn multinational companies into outlaws immediately, but they'd better start working on alternatives now.

That's what lawyers steeped in the arcane law of international data handling said in the aftermath of the decision by the Court of Justice of the European Union.

The court said the Safe Harbor agreement that thousands of companies have relied on to move personal data across the Atlantic was invalid. In the light of revelations about U.S. National Security Agency snooping, the agreement used since 2000 isn't enough to ensure Europeans' privacy is protected if their data is stored in the U.S., the court said.

The law in this area may remain murky for months or years, but enterprises should already be looking at alternatives to Safe Harbor, the lawyers said on a conference call organized by the International Association of Privacy Professionals.

Companies that do business across the ocean and have been using the agreement in good faith will get at least a short grace period before data protection authorities start knocking on doors, said Brian Hengesbaugh, a partner at law firm Baker & McKenzie and a former member of the team that crafted the Safe Harbor agreement. Jumping on those enterprises would be considered a misuse of the enforcers' legal authority, he said. 

But for some, especially big U.S. companies and service providers, the questions could come soon. It's likely they'll start getting letters from data protection authorities in European countries where they store data, asking them to explain how they are legitimizing their data transfers, said Eduardo Ustaran of the London law firm Hogan Lovells. 

Lawsuits by consumers or privacy activists, like the one by Austrian citizen Max Schrems that led to Tuesday's ruling, are an even greater threat to companies that store European data in the U.S., said Christopher Kuner, senior privacy counsel at Wilson Sonsini Goodrich & Rosati in Brussels. The ruling will force data protection authorities to investigate all such claims, he said.

Enterprises already have some alternatives to Safe Harbor. The European Union's Article 29 Working Party, a data protection body, has developed so-called Binding Corporate Rules for trans-Atlantic data transfers between organizations. The EU has also crafted "model clauses" to include in contracts with partners and customers. Companies can also write their own contracts or set up agreements with multiple parties, Ustaran said.

Using a new legal tool doesn't have to mean starting from scratch. Parts of the Safe Harbor agreement can be recycled, and the EU's Binding Corporate Rules are fairly similar, Ustaran said. 

Microsoft said Tuesday it's all set to continue data transfers and legally protect customers of its cloud services, including Azure Core Services and Office 365. It's using the EU Model Clauses. 

In addition, about 70 companies are using the Binding Corporate Rules. But for most of the approximately 4,000 organizations that have been relying on Safe Harbor, many of which are small and medium-sized businesses, there's a lot of work ahead. 

"Many companies will be in limbo," Ustaran said. 

They should start by deciding which kinds of data transfers are critical and address those first, looking at which alternatives would work for them. 

Each country in the EU has its own data protection authority, and they're likely to take different approaches, Kuner of Wilson Sonsini said. Some might decide Safe Harbor is still adequate. Should companies take a chance on that? "I wouldn't advise it," Kuner said.

He also warned that it's easy to download standard contractual clauses, print them out and sign them, but you actually have to make sure you can comply with them and may need to have them approved by a country's data protection authority. 

However much Tuesday's ruling may affect enterprises, the U.S. and EU haven't tackled the greatest threat to data privacy, which is government surveillance, said Nuala O'Connor, president and CEO of the Center for Democracy & Technology. "I don't think anybody's privacy is any better today than it was yesterday," she said.

The U.S. and EU have been working on a new Safe Harbor agreement since, but with issues like government spying to work out, it may take a while.

"I wouldn't be holding my breath for Safe Harbor 2," Ustaran said.

Join the PC World newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Stephen Lawson

IDG News Service
Show Comments

Father’s Day Gift Guide

Most Popular Reviews

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?