Safe Harbor Overthrow Creates New Data Purgatory For US, EU Companies

The SIINDA conference in Prague concluded today with a panel of European publishers and lawyers discussing a range of legal and regulatory issues now facing companies operating in Europe: taxation, competition, but mostly the defeat of the current Safe Harbor data transfer agreement.

On the panel were Andriani Ferti, attorney for Clifford Chance LLP; Kostas Rossoglou, head of EU Public Policy for Yelp; Michal Feix, from Czech search engine Seznam.cz; and Stephanie Verilhac, director of SIINDA EU affairs.

They presented a picture of a legal and regulatory framework that was very much up in the air, a situation that is potentially as difficult for EU companies as it is for North Americans. And despite the PR-driven assurances by some US marketing executives, the regulatory reality in Europe is anything but clear at this moment.

To recap, last week the European Court of Justice (CJEU) cited Snowden and NSA spying, in the Schrems case, to invalidate a long-established Safe Harbor agreement between Europe and the US that allowed the transfer and processing of data between servers in the US and Europe. The rationale was that EU citizens’ data was not protected when it traveled to the US and was subject to potential US government surveillance.

The decision also created or validated the idea of a private right of action by any individual against companies deemed to have violated privacy rights — meaning individual Europeans can now sue Google, Facebook and anyone else (e.g., banks/credit card companies) they perceive to be violating their privacy rights under EU law. Arguably, in a case where data transfer to the US, liability would be nearly automatic; however, it’s unclear how damages might be calculated.

In addition, the CJEU ruling delegated power back to the 28 member EU states’ data protection authorities, which could potentially deliver inconsistent decisions. That has already started to happen, with German data protection authorities recently suggesting that non-EU companies locate servers within Germany (vs. Europe). A pending overhaul of privacy regulations (GDPR) in Europe is intended to create an updated and uniform framework for all of Europe, though the new rules have many potential problems.

In the wake of the CJEU-Schrems decision, the European Commission issued a statement that Europe was interested in negotiating a new agreement with the US to ensure the free flow of information across the Atlantic, but one that was equally compliant with EU privacy laws. Here are the EU’s stated objectives and priorities in the wake of the decision:

• The protection of personal data transferred across the Atlantic.
• The continuation of transatlantic data flows, which are important for our economy, with adequate safeguards.
• The uniform application of EU law in the internal market.

The Commission suggested that there were alternative mechanisms currently available to enable data transfer to continue, such as private contracts and informed consent of individual consumers. While these mechanisms might work, there’s still a cloud of ambiguity hanging over these approaches, too. Beyond this, a new “safe harbor” agreement between the US and Europe might not be enough to overcome the data-transfer objections raised by the CJEU in Schrems.

EU data protection regulators from multiple countries are now promising guidance in the coming weeks on how companies should proceed in the wake of the CJEU ruling. We may be a year or more away from finalization of the new GDPR data protection framework. In the interim, companies on both sides of the Atlantic need a way to operate internationally that isn’t going to subject them to a flood of privacy litigation simply because data is flowing between the US and Europe.

It remains unclear at this moment how that will happen.