The European Union’s (EU) highest court, the European Court of Justice, struck down the 15-year-old “Safe Harbor” pact used by companies to transfer Europeans’ personal data to the United States. The ruling affects approximately 4,500 companies that move and/or store personal data. The ruling was based on the Edward Snowden leaks, which the EU court cited as a clear demonstration of an inability to safeguard Europeans’ personal data. The EU court ruling ultimately found that the data-transfer pact with the US violates the privacy of its citizens.
This ruling throws into question the transfer of data that underpins the world’s largest trading relationship – the US and the EU. National regulators in the EU can override the 15-year-old “Safe Harbor” pact, used by companies like Apple and Google, because it violates the privacy rights of Europeans by exposing them to allegedly indiscriminate surveillance by the US government. Among those affected by the ruling are:
- financial services organizations
- retail and e-commerce companies with European customer information
- online advertising companies
- companies like Amazon that store data (via cloud services) on behalf of European companies
- companies that store HR documentation on European employees
Now companies are scrambling to understand the ruling and to preserve their ability to transfer Europeans’ personal data to the US before regulators move in with fines or orders to suspend data flows.
Companies looking for alternatives
While there is a need to find either an alternative to or reformed version of Safe Harbor, there is likely no unified regulation (like the invalidated Safe Harbor pact) that will be in place for some time. EU law provides for two additional ways to transfer personal data legally, but these methods are more time-consuming to implement because they often require prior approval from regulators.
The two methods for data transfers out of the European Economic Area (EEA) are:
- Model Contracts: The EU has approved model contracts that companies can use for data transfers that usually get automatic approval by the various EU data protection authorities (DPA).
- Binding Corporate Rules (BCR): Multinational companies can define internal rules for performing international data transfers that they get can get approved by a lead DPA.
Potential business impact right now
The European Court of Justice’s decision does not mandate an immediate end to those personal-data transfers. But it does rule that national European data-protection regulators have the right to investigate the transfers and suspend them if sufficient protections are not provided. The burden now shifts to companies with a need to conduct a data transfer involving Europeans’ personal information.
Additional business impacts still developing
- Fragmentation – Companies affected by this ruling will need to work with the DPAs or each individual EU member country instead of one unified data-transfer pact and regulatory body.
- Financial, operational and legal impacts
- American companies need to consider restructuring how they manage, store and use data in Europe. This will require resources, time and money.
- Small- and mid-size businesses in particular may be adversely affected by this ruling because they may not have sufficient legal support necessary to adopt other data-transfer methods, and fend off complaints by regulators in multiple EU countries.
- Regulatory penalties - Potential fines and orders to suspend data flows could be an eventual outcome of this ruling.
What to do now:
- Understand the risks based on this ruling.
- Evaluate and prioritize which organizations or vendors affected by this ruling.
- Assess critical transfers of data first, then prioritize the rest.
- Review and enhance processes and procedures.
- Closely monitor changes as the ruling’s impacts continue to emerge.
For more information on this topic, or to learn how Baker Tilly specialists can help, contact our team.