With Safe Harbor Squashed, What's Next for European Data Transfers?

As anticipated, on Tuesday the European Court of Justice, Europe’s highest court, has ruled that longstanding Safe Harbor program for international data transfers between the United States and European Union is invalid. Our coverage of the facts leading up to that decision be found here. Now, as the dust settles, the talk turns to what to do next.

Options for meeting international data transfer requirements could include data protection clauses in contracts between companies exchanging data, adopting binding corporate rules, or obtaining the “unambiguous consent” of all customers. All have as many merits as logistical problems, including the time needed to negotiate and execute those agreements. “There are 4,500 companies that make use of the safe harbor so obviously it could be quite disruptive,” says ?Scott Vernick, a partner at law firm Fox Rothschild. "I’m not sure there are a lot of good options.”

U.S.-based businesses may also need to consider using European cloud services or build overseas data centers. “If you are transferring data so that you can engage in centralized accounting and financial operations, you would have to localize those operations,” Vernick says. “Your cost of doing business just got a heck of a lot more expensive.”

At the heart of the ECJ ruling are concerns that data snooping by U.S. intelligence agencies is contrary to pledges that the personal data of European customers is secure and protected. That view was challenged in a statement issued by the U.S. Mission to the European Union on Tuesday. “The United States does not and has not engaged in indiscriminate surveillance of anyone, including ordinary European citizens,” it wrote. “The PRISM program that the Advocate General's opinion discusses is in fact targeted against particular valid foreign intelligence targets, is duly authorized by law, and strictly complies with a number of publicly disclosed controls and limitations.” The government has also “taken unprecedented steps to enhance transparency and public accountability regarding U.S. intelligence practices, and to strengthen policies to ensure that all persons are treated with dignity and respect, regardless of their nationality or place of residence.”

“Moreover, the underlying issue here also goes far beyond the Safe Harbor Framework,” the State Department liaison wrote. “The Advocate General's reasoning would undercut the ability of other countries, businesses and citizens to rely upon negotiated arrangements with the European Commission.”

As for the EU view, Frans Timmermans, first vice-president of the European Commission, and Commissioner Vera Jourová issued statements to address the ruling and path forward.

Timmermans called the ruling “an important step towards upholding Europeans' fundamental rights to data protection.” Commission priorities, he said, are: the protection of personal data transferred across the Atlantic; the continuation of transatlantic data flows with adequate safeguards; and the uniform application of EU law in the internal market.

“We will come forward with clear guidance for national data protection authorities on how to deal with data transfer requests to the U.S., in the light of the ruling,” he said. “As citizens need robust safeguards and businesses need legal certainty; the guidance should help avoiding a patchwork of potentially contradicting decisions by the national data protection authorities and therefore provide predictability for citizens and businesses alike.”

Jourová stressed the importance of working with the data protection authorities in member states to “ensure a coordinated response on alternative ways to transfer data” and “to step up discussions with the U.S. towards a renewed and safe framework for the transfer of personal data across the Atlantic.”

Jourová pointed out that various types of data transfers are not covered by current data protection rules. Among them: transfers to fulfill certain contracts (for example, when a resident of the EU books a hotel room in the U.S.); book a hotel in the U.S., my personal data are transferred there in order to fulfill the contract]; public interest grounds, such as cooperation between authorities regarding a cross-border criminal investigation; and “urgent life or death situations” where, for example, medical records can be transferred internationally in the person's own interest.