Earlier this week another huge shift happened, which may portend a very different world for compliance going forward. As with the most recent titanic shift (from the Volkswagen emissions-testing scandal) this event did not arrive from anti-corruption compliance. The event was the ruling by the European Court of Justice, in a decision known as the Schrems case that the previously presumed European Union Safe Harbor regime is invalid. That means EU member state data protection regulators do have power to investigate complaints about the adequacy of the level of protection of data transfers to the United States, and to suspend data transfers if they conclude that the U.S. does not provide an adequate level of protection.
This decision leaves many U.S. companies scrambling to ascertain the scope of the ruling and what it might mean for data collection in a wide range of areas going forward. Yet even the normally pro-business Financial Times said, “The U.S. authorities and American technology companies bear some blame for the ECJ’s ruling” largely because the companies have targeted what people normally consider to be private information in a “way that places commercial interests before those of customer protection.” Further, the National Security Agency has made no bones about the access it wants from those companies’ servers.
