Yesterday, in a landmark opinion, the European Court of Justice overturned the European Commission's 15-year old decision that the privacy principles of the U.S.-EU Safe Harbor Accord provide an adequate level of protection of the personal data of EU citizens. Now, national authorities will be reviewing whether the United States provides adequate protections (including under Safe Harbor) and potentially will be conducting their own investigations into individual complaints. This may significantly disrupt existing company global data flows, or at a minimum, add layers of complexity as it will put some premium on knowing which national authorities will have what jurisdiction over various types of data and IT operations (e.g., over servers, information, etc.).
In response to the decision (and some in preparation for it), clients who are currently depending on Safe Harbor to transfer data from the EU to the United States (or as the backbone of global transfers) have been taking or considering one or more of the following approaches to minimize compliance and enforcement risks:
- Put Model Contracts in Place (also BCRs Longer Term). Putting in place Model Contracts/Intra-Group Agreements (or even outsourcing data storage or certain IT operations to vendors with data transfer mechanisms in place) to cover any data transfer or access gaps they feel they may have (as a longer term solution, some companies are considering binding corporate rules as one additional data transfer mechanism to also put in place);
- Review Data Flows and Prioritize Remediation. Inventorying what personal data are being stored and transferred and prioritize key data transfer activities that must remain intact (business or operationally critical) and focus efforts toward ensuring data transfer and storage solutions are in place or can be rerouted or stored in a way to minimize risks (or avoid using a Safe Harbor-supported pathway);
- Contract Analysis. Analyzing existing contracts where there could be a breach based on the European Court of Justice opinion (or pursuant to a subsequent determination in an European Economic Area (EEA) member country), and, in such analysis, prioritizing the relationships and contracts to review data transfer pathways and compliance and/or to identify alternative legal or data architecture solutions;
- Consider EU Country-by-Country Leeway. Identifying where servers in the EU are located, and the specific local requirements and privacy protections, as national authorities will have greater leeway; and
- Outreach to DPAs and Monitor Consumer Complaints. Reaching out to Data Protection Authorities to build relationships and trust, while also updating consumer complaint and redress procedures to heighten alert to any specific requests or complaints as we expect more individuals to raise issues and concerns around privacy and data transfers.
Click here for a detailed analysis of the practical consequences of the decision.
To learn more about the impact of the decision on your company and about the approaches being taken by others, please contact Jim Koenig, Ashley Winton, or any member of our Global Privacy and Cybersecurity practice.