Safe Harbor ruling sends big ripples through U.S. companies

Businesses scramble to protect privacy of European data transfers

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Some 4,500 U.S. com­pa­nies are under pres­sure to fig­ure out how Europe’s stun­ning Safe Har­bor pri­va­cy rul­ing could dis­rupt their busi­ness mod­els in 2016.

Those now in scram­ble mode range from Google, Apple and Ama­zon to hun­dreds of small- and mid-size com­pa­nies that rely on sell­ing adver­tis­ing and sup­ply­ing online ser­vices to Euro­pean clientele.

In Octo­ber, the Euro­pean Court of Jus­tice inval­i­dat­ed a 15-year-old Safe Har­bor agree­ment, which lets Amer­i­can com­pa­nies use a sin­gle stan­dard for con­sumer pri­va­cy and data stor­age in both the Unit­ed States and Europe. The rul­ing came after Edward Snowden’s NSA leaks showed that Euro­pean data stored by U.S. com­pa­nies was not safe from sur­veil­lance that would be ille­gal in Europe.

More: Breach, pri­va­cy, and cyber cov­er­ages: fact and fiction

Pri­va­cy advo­cates and Euro­pean lead­ers have hailed the rul­ing, while U.S. Com­merce Sec­re­tary Pen­ny Pritzk­er has expressed con­cern that it will hurt dig­i­tal com­merce and trade.

Bil­lions at stake

The risks are high for U.S. com­pa­nies that do not take any steps to safe­guard their data trans­fers from the Euro­pean Union. If Euro­pean com­pa­nies think that U.S. busi­ness­es are not ade­quate­ly safe­guard­ing the pri­va­cy rights of Euro­pean cit­i­zens, deals could fall through and U.S. com­pa­nies could lose bil­lions of dollars.

Gerry Stegmaier, Goodman Procter attorney
Ger­ry Stegmaier, Good­man Proc­ter attorney

There’s a lot of uncer­tain­ty and angst, and not a lot of mean­ing­ful dis­cus­sion about what hap­pens if we get this wrong,” warns attor­ney Ger­ry Stegmaier of the Good­win Proc­ter law firm. “The cli­mate of uncer­tain­ty is very like­ly to impact the abil­i­ty of busi­ness­es to sell their ser­vices and to close deals in Europe.”

Before the court rul­ing, Euro­pean and U.S. nego­tia­tors had been work­ing on a new Safe Har­bor Frame­work. But now the fate of anoth­er agreement—what some called Safe Har­bor 2.0—is unclear. Data-pro­tec­tion agen­cies in Europe have said that nego­tia­tors must come up with a new pact by ear­ly next year.

The court’s opin­ion rein­forces the pow­er of Euro­pean reg­u­la­tors, says Odia Kagan, an attor­ney at the Bal­lard Spahr law firm in Philadel­phia. Embold­ened by the court opin­ion, the reg­u­la­tors may take quick enforce­ment actions against U.S. com­pa­nies that fail to replace the old Safe Har­bor guide­lines with stronger mea­sures to pro­tect data privacy.

In the U.S., reg­u­la­tors typ­i­cal­ly go after high-pro­file com­pa­nies and brands that stand out, accord­ing to Stegmaier. “You don’t want to be the first zebra or the last zebra in a Nile Riv­er full of croc­o­diles,” Stegmaier says.

Enforce­ment dead­line looms

Fail­ure to have enough data protection—if done delib­er­ate­ly or out of gross negligence—would be a crim­i­nal offense in Europe, law pro­fes­sor Sakari Melander at the Uni­ver­si­ty of Helsin­ki told the Helsin­ki Times.

Euro­pean Union reg­u­la­tors warned in Octo­ber that they would take “coor­di­nat­ed enforce­ment action” against com­pa­nies if no new agree­ment is found for data trans­fers by the end of Jan­u­ary 2016.

And Finnish reg­u­la­tors already have start­ed exam­in­ing the impact of the court rul­ing on com­pa­nies that trans­fer data in Finland.

Luck­i­ly, U.S. companies—whether For­tune 500 giants or small and mid-size businesses—have back­up plans and options avail­able to them. “Now com­pa­nies will have to move to new legal mech­a­nisms to trans­fer data to the U.S.,” says Phil Lee, head of the Field­fish­er law firm’s office in Palo Alto, Calif.

To com­ply with Euro­pean data-trans­fer prac­tices upheld by the high court, many large com­pa­nies have antic­i­pat­ed the rul­ing and will keep their data in Europe, or work with Euro­pean busi­ness part­ners already in com­pli­ance. Google, for instance, already is expand­ing its Europe-based data centers.

Con­trac­tu­al options

Many com­pa­nies will use “mod­el con­tracts,” or 10-to-20 page con­tracts in which busi­ness­es agree to pro­tect data trans­fers and pri­va­cy sim­i­lar to the Safe Har­bor guidelines.

The upside to mod­el con­tracts? Com­pa­nies and ven­dors can nego­ti­ate and tai­lor dif­fer­ent types of con­tracts, based on their busi­ness needs, legal experts say. The down­side? Some con­tracts allow cus­tomers to audit a com­pa­ny, or to take legal action based on breach of con­tract, accord­ing to Lee. The con­tracts also must be revised often.

Com­pa­nies also will go the “con­sent” route, which requires that con­sumers give their ful­ly informed con­sent for the trans­fer of per­son­al data. Oth­er com­pa­nies may trans­fer the per­son­al data anony­mous­ly, which would “fall out of the scope of EU data pro­tec­tion laws,” accord­ing to Stegmaier.

In the end, Stegmaier says, there is no “per­fect com­pli­ance” or “one size fits all.” But com­pa­nies still must reg­u­lar­ly assess the law and their data-trans­fer prac­tices, plus the prac­tices of their ven­dors and part­ners in the sup­ply chain. If con­tracts are filed away and nev­er updat­ed, that’s an invi­ta­tion to legal woes.

Pro­ceed with caution

Aim­ing to help U.S. com­pa­nies com­ply with the high court’s rul­ing, the Euro­pean Com­mis­sion said in ear­ly Novem­ber that it has “stepped up its talks with the U.S. gov­ern­ment” in hopes of forg­ing a new agree­ment for “transat­lantic trans­fers of per­son­al data.”

Nuala O'Connor, head of the Center for Democracy and Technology
Nuala O’Connor, head of the Cen­ter for Democ­ra­cy and Technology

Even with dif­fer­ent legal avenues, com­pa­nies should pro­ceed care­ful­ly amid the uncertainty.

The court’s rul­ing “should strike fear in the hearts of com­pli­ance offi­cers and gen­er­al coun­sel,” says Nuala O’Connor, head of the Cen­ter for Democ­ra­cy and Tech­nol­o­gy and for­mer chief pri­va­cy offi­cer of the U.S. Depart­ment of Home­land Secu­ri­ty. Com­pa­nies, she warns, ought to be “cau­tious in try­ing to jump to anoth­er legal vehi­cle right now in this time of tremen­dous dis­rup­tion and dislocation.”

Whichev­er legal route they take, busi­ness­es should not panic.

The Inter­net and data trans­fer haven’t died,” Kagan says. “But you do need to beef up your exist­ing pro­tec­tions, and pro­tect the infor­ma­tion the best way you can.”

More on data privacy:
Where per­son­al data is con­cerned, what’s safe today may not be safe tomorrow
If feds can’t keep data safe, who can?
Euro­pean rul­ing is bad news for U.S. tech giants




Posted in Data Privacy, Featured Story