For financial services companies, law firms and other organizations engaged in complex cross-border matters, the nullification of the Safe Harbor framework last month by the Court of Justice of the European Union (CJEU) has caused more than a few headaches and possibly some nightmares. While organizations were able to find some immediate workarounds amid reassurance from EU government officials that a three-month window was in place to determine an alternate framework, there was still a lack of certainty. This was heightened in light of the initial response of the Schleswig-Holstein data protection authority (DPA) on October 16, 2015 and the more recent response by the Landër, or German states, on October 26, 2015 “question[ing] the legitimacy of transfers based on model contract clauses or binding corporate rules [BCRs].” This interpretation also “confirmed that the German DPAs will not issue any new authorizations for data transfers to the U.S. on the basis of BCRs or data transfer agreements.” So, by the end of October, uncertainty was still the primary modus operandi for the 4,400 organizations that relied on the framework to facilitate transatlantic business.
It did look like November, despite the German DPAs’ stance, was bringing greater certainty and grounds for optimism regarding a new framework. In a November 2, 2015 Legaltech News article, EU Justice Commissioner Věra Jourová’s speech before the European Parliament was quoted “in which she announced that the European Union and the United States had agreed ‘in principle’ on a new ‘Safe Harbor 2.0’ framework to govern transatlantic data transfers” ahead of talks with U.S. Commerce Secretary Penny Pritzker. Then, on November 6, 2015, the European Commission issued “an explanatory Communication that “provided an overview of alternative transfer tools, the conditions under which they can be used and their limitations.”
Justice Commissioner Jourová reiterated her intention to resolve the ambiguity and return “transatlantic commercial relationships [to] a sound footing as part of her address to the Brookings Institution on earlier this week. In her remarks, she acknowledged that “[a]lternative ways of transferring data are a short-term solution. With the current volume of transatlantic data transfers, it is clear that we need a comprehensive and effective framework in place as soon as possible.” She continued that “[a] renewed arrangement…will mean robust safeguards and legal certainty for citizens and businesses alike.”
However, given that the CJEU has indicated that stronger cooperation with European DPAs will be required and that DPAs will also have a role to play in the review of the functioning of the new system, any optimism must be tempered. With DPAs holding a range of views on the privacy of personal data and more parties being engaged in the process, the path forward might be less straightforward. It also remains to be seen how the November 13 attacks on Paris will affect the CJEU’s other key recommendation regarding the “national security exception.” Originally, the court intended that the exception be used “only to an extent that is strictly necessary or proportionate,” but how this will play out across a continent that, while unified in its stance against terrorism, certainly does not feel its impact uniformly, is yet another factor breeding uncertainty.
In the meantime, some common-sense rules still provide practical guidance. As Christian Schröder, Head of IP/IT and Data Privacy Practice Group in Germany at Orrick, eloquently put it in a recent article we published, “The fundamental advice is not to panic but to plan.” He further advised organizations to “conduct a basic information risk assessment…[to] review and document the following:
• Which entities do you currently transfer personal data to under Safe Harbor?
• What types of personal data do you collect?
• Where does this data flow?
• Who will receive the data?
• Where will it be used?”
Stay tuned for more coverage of the evolution of Safe Harbor 2.0 in December on The Chronicle, as we continue to share best practices from experts in Europe and the United States.