With Safe Harbor gone, the hard work on data transfers starts now

Lawsuits and enforcement actions could come soon, so companies should get ready, data privacy lawyers say

Tuesday's ruling that struck down the most common way to legally transfer data between Europe and the U.S. didn't turn multinational companies into outlaws immediately, but they'd better start working on alternatives now.

That's what lawyers steeped in the arcane law of international data handling said in the aftermath of the decision by the Court of Justice of the European Union.

The court said the Safe Harbor agreement that thousands of companies have relied on to move personal data across the Atlantic was invalid. In the light of revelations about U.S. National Security Agency snooping, the agreement used since 2000 isn't enough to ensure Europeans' privacy is protected if their data is stored in the U.S., the court said.

The law in this area may remain murky for months or years, but enterprises should already be looking at alternatives to Safe Harbor, the lawyers said on a conference call organized by the International Association of Privacy Professionals.

Companies that do business across the ocean and have been using the agreement in good faith will get at least a short grace period before data protection authorities start knocking on doors, said Brian Hengesbaugh, a partner at law firm Baker & McKenzie and a former member of the team that crafted the Safe Harbor agreement. Jumping on those enterprises would be considered a misuse of the enforcers' legal authority, he said. 

But for some, especially big U.S. companies and service providers, the questions could come soon. It's likely they'll start getting letters from data protection authorities in European countries where they store data, asking them to explain how they are legitimizing their data transfers, said Eduardo Ustaran of the London law firm Hogan Lovells. 

Lawsuits by consumers or privacy activists, like the one by Austrian citizen Max Schrems that led to Tuesday's ruling, are an even greater threat to companies that store European data in the U.S., said Christopher Kuner, senior privacy counsel at Wilson Sonsini Goodrich & Rosati in Brussels. The ruling will force data protection authorities to investigate all such claims, he said.

Enterprises already have some alternatives to Safe Harbor. The European Union's Article 29 Working Party, a data protection body, has developed so-called Binding Corporate Rules for trans-Atlantic data transfers between organizations. The EU has also crafted "model clauses" to include in contracts with partners and customers. Companies can also write their own contracts or set up agreements with multiple parties, Ustaran said.

Using a new legal tool doesn't have to mean starting from scratch. Parts of the Safe Harbor agreement can be recycled, and the EU's Binding Corporate Rules are fairly similar, Ustaran said. 

Microsoft said Tuesday it's all set to continue data transfers and legally protect customers of its cloud services, including Azure Core Services and Office 365. It's using the EU Model Clauses. 

In addition, about 70 companies are using the Binding Corporate Rules. But for most of the approximately 4,000 organizations that have been relying on Safe Harbor, many of which are small and medium-sized businesses, there's a lot of work ahead. 

"Many companies will be in limbo," Ustaran said. 

They should start by deciding which kinds of data transfers are critical and address those first, looking at which alternatives would work for them. 

Each country in the EU has its own data protection authority, and they're likely to take different approaches, Kuner of Wilson Sonsini said. Some might decide Safe Harbor is still adequate. Should companies take a chance on that? "I wouldn't advise it," Kuner said.

He also warned that it's easy to download standard contractual clauses, print them out and sign them, but you actually have to make sure you can comply with them and may need to have them approved by a country's data protection authority. 

However much Tuesday's ruling may affect enterprises, the U.S. and EU haven't tackled the greatest threat to data privacy, which is government surveillance, said Nuala O'Connor, president and CEO of the Center for Democracy & Technology. "I don't think anybody's privacy is any better today than it was yesterday," she said.

The U.S. and EU have been working on a new Safe Harbor agreement since, but with issues like government spying to work out, it may take a while.

"I wouldn't be holding my breath for Safe Harbor 2," Ustaran said.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Stephen Lawson

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?