Mary J. Hildebrand
Rooted in history and deep-seated cultural beliefs, the European Court of Justice’s (ECJ) recent decision to invalidate a major data-sharing agreement should be as unsurprising as it is unsettling to U.S. companies conducting business in Europe.
The court invalidated the Safe Harbor pact, an international data-transfer agreement that allows American companies to move personal data between the European Union and the U.S. In its decision, the court cited allegations by notorious former national-security contractor Edward Snowden that U.S. spying agencies had legal access to the vast troves of personal data held on American companies’ servers. That, the court wrote, violates European citizens’ right to the privacy of personal data conferred by the Charter of Fundamental Rights of the European Union (EU).
Implicit in the decision is the notion that the U.S. prizes national security over an individual’s right to privacy, while Europeans have long taken the opposite view. This reflects long-held cultural differences; the U.S. Constitution doesn’t mention the word “privacy” once, but the right is enshrined in numerous national laws and a handful of supranational protections, including the Convention for the Protection of Human Rights and Fundamental Freedoms and Protocols.
That agreement was signed in 1950, when the horrors of World War II still dominated Europe’s collective consciousness, and that experience, among others where personal information was used for totalitarian and genocidal purposes, helped form the widespread, almost visceral belief in the individual right to privacy. I would argue that those experiences continue to shape European privacy rules, including the one handed down by the ECJ.
Understanding these underlying cultural principles is important for U.S. executives trying to navigate the shifting tectonics of European data-protection laws. At this moment, however, it’s also crucial to examine the practical ramifications of losing the Safe Harbor pact as a legal basis for exporting personal data from the EU to the U.S.
In the wake of that decision, U.S. businesses must immediately consider alternative methods available for cross-border transfers of European personal data. Here are three potential alternatives:
- Consent: Individual EU citizens may consent to let their personal data be transferred to the U.S., provided that such consent is freely given, specific, informed and unambiguous. While the concept of “consent” is not uniformly defined through the EU, this is generally understood to mean that all of your company’s subscribers or employees must “opt-in” to permit their personal data to be transferred and stored stateside. The question then becomes: What rules govern that personal data in the U.S.? If you are required as a condition of transferring the data to conform to the same rules that apply to an EU citizen in the EU, what happens if you’re served with a subpoena from a U.S. intelligence service seeking the EU personal data?
- Model Contracts: These are forms negotiated between the U.S. Commerce Department and the European Commission that give U.S. companies the right to legally transfer personal data from the EU to the U.S. However, model contracts typically cannot be modified to suit the business transaction, and this inflexibility sometimes renders them infeasible.
- Binding Corporate Rules: The EU Article 29 Working Party developed these rules to allow multinational corporations to make intra-organizational transfers of personal data across borders in compliance with EU data-protection law. These “BCRs” must be approved by the Data Protection Authorities, a process that can take months.
Whichever method you choose, choose it quick. The ECJ’s decision is effective on the date of issuance, meaning any personal data of EU citizens that your company has already collected and is storing in the U.S. (including cloud storage) should now be returned to the EU, ideally to the country of origin, unless you have a legally acceptable alternative.
And looking ahead, U.S. businesses need to be ready for more changes. Modifications to the Safe Harbor pact, currently being negotiated by American and EU officials, are expected to address many of the EU’s issues; an agreement is expected in the next few months. Meanwhile the EU Commission is expected to approve an entirely new regime on data privacy, which would have the full force of law, by early next year (with implementation by 2018).
While these changes might provide U.S. businesses with better alternative methods of international data transfer, it’s important to bear in mind that the court’s new ruling provides that each EU member state retains the right to investigate complaints regarding privacy violations arising from data transfer to third countries under a revised Safe Harbor scheme and the alternative transfer methods cited above, and refer such violations to the ECJ.
In other words, even if the EU Commission has made a decision regarding a method of data transfer to a third country, the National Supervisory Authorities in member nations have the right to examine complaints independently, and bring those deemed meritorious before the ECJ for a final determination.
A lot to digest? Yes. But with European data protection, that’s nothing new. And the history is being written as we speak.
Comment