The European Court of Justice’s decision to strike down the Safe Harbor framework was based on privacy concerns, but it significantly affects how business is conducted between the US and EU member states, particularly for legal communities. The Chronicle shared the insights of Jon Fowler, Consilio CISO, on the ruling for the legal community from an American perspective, and this week we talked with Dr. Christian Schröder, Head of IP/IT and Data Privacy Practice Group in Germany at Orrick, to understand the German perspective.
The Court of Justice of the European Union’s (CJEU) decision invalidating the Safe Harbor framework is a significant ruling that will dramatically affect how business and legal affairs are conducted between EU member states and the U.S. The more than 4,400 U.S. entities that relied on the Safe Harbor framework have been left without definitive direction on how to transfer data that contains personally identifiable information (PII) between their EU-based customers, partners and affiliates.
While I am hopeful that an alternative framework will eventually be established – the EU Commission has clearly indicated its desire to continue to renegotiate the Safe Harbor framework—legal firms and multinational corporations engaged in eDiscovery must continue to work on matters in this nebulous environment. Moreover, while there is no clear guidance at the national and international level, there are many opportunities for pro-privacy groups and subnational authorities to assert legal claims that further muddy the waters. An example of this is the ruling on October 14, 2015 by the Data Protection Authority (DPA) of the state of Schleswig-Holstein, which issued a position paper that signified data transfers to the US could violate the law regardless of mechanism. In short, the DPA for Schleswig-Holstein has not only effectively cut ties between the US and Germany, but it also added precedent to further restrict data transfers. This decision limits the primary workarounds and must now be considered when developing a new regulatory framework.
With the exception of firms and corporations doing business in Schleswig-Holstein with U.S.-based companies, there are still—at least for now—viable alternative transfer mechanisms that mitigate legal risk. The Article 29 Working Party, an influential advisory body comprising member state privacy regulators, has provided some guidance amid the uncertainty. The Working Party stresses that a solution on the governmental level is urgently needed. In the meantime, it suggests that corporations establish EU model clause contracts (a set of EU-approved clauses for data transfers) or so called Binding Corporate Rules; it also notes that national regulators reserve the right to investigate any data transfers to the US. The Working Party has also advised that if EU and U.S. regulators fail to resolve the situation by the end of January 2016, then EU data protection authorities will uphold the law. While the Working Party’s statement is not binding on any EU DPA, it is entirely consistent with the sudden, impractical burden that would otherwise be placed on corporations that had relied on Safe Harbor.
In the short term, the other option is to maintain data within the EU by working with companies that maintain bases of operations within EU member states.
To choose the best course of action to continue data transfers within the scope of the CJEU ruling, it is important to understand how your organization needs to move data. To do this, conduct a basic information risk assessment in which you review and document the following:
- Which entities do you currently transfer personal data to under Safe Harbor?
- What types of personal data do you collect?
- Where does this data flow?
- Who will receive the data?
- Where will it be used?
With these answers, it is far easier to prioritize matters affected by the ruling and determine which of the currently available alternatives will best support your needs.
The fundamental advice is not to panic but to plan. With the exception of the Schleswig-Holstein DPA decision, which does not represent the majority view in Germany, the invalidation of the Safe Harbor framework does not mean the end of data transfers between the U.S. and the EU. Now, the EU and U.S.’s job is to build “Safe Harbor 2.0,” because it is not reasonable to think that the interim measures will be viable over the long term, because we’re not going to cut off ties and frankly, because no one has time to wait.