Safe Harbor ruling sends big ripples through U.S. companies
Businesses scramble to protect privacy of European data transfers
By Edward Iwata, ThirdCertainty
Some 4,500 U.S. companies are under pressure to figure out how Europe’s stunning Safe Harbor privacy ruling could disrupt their business models in 2016.
Those now in scramble mode range from Google, Apple and Amazon to hundreds of small- and mid-size companies that rely on selling advertising and supplying online services to European clientele.
In October, the European Court of Justice invalidated a 15-year-old Safe Harbor agreement, which lets American companies use a single standard for consumer privacy and data storage in both the United States and Europe. The ruling came after Edward Snowden’s NSA leaks showed that European data stored by U.S. companies was not safe from surveillance that would be illegal in Europe.
Privacy advocates and European leaders have hailed the ruling, while U.S. Commerce Secretary Penny Pritzker has expressed concern that it will hurt digital commerce and trade.
Billions at stake
The risks are high for U.S. companies that do not take any steps to safeguard their data transfers from the European Union. If European companies think that U.S. businesses are not adequately safeguarding the privacy rights of European citizens, deals could fall through and U.S. companies could lose billions of dollars.
“There’s a lot of uncertainty and angst, and not a lot of meaningful discussion about what happens if we get this wrong,” warns attorney Gerry Stegmaier of the Goodwin Procter law firm. “The climate of uncertainty is very likely to impact the ability of businesses to sell their services and to close deals in Europe.”
Before the court ruling, European and U.S. negotiators had been working on a new Safe Harbor Framework. But now the fate of another agreement—what some called Safe Harbor 2.0—is unclear. Data-protection agencies in Europe have said that negotiators must come up with a new pact by early next year.
The court’s opinion reinforces the power of European regulators, says Odia Kagan, an attorney at the Ballard Spahr law firm in Philadelphia. Emboldened by the court opinion, the regulators may take quick enforcement actions against U.S. companies that fail to replace the old Safe Harbor guidelines with stronger measures to protect data privacy.
In the U.S., regulators typically go after high-profile companies and brands that stand out, according to Stegmaier. “You don’t want to be the first zebra or the last zebra in a Nile River full of crocodiles,” Stegmaier says.
Enforcement deadline looms
Failure to have enough data protection—if done deliberately or out of gross negligence—would be a criminal offense in Europe, law professor Sakari Melander at the University of Helsinki told the Helsinki Times.
European Union regulators warned in October that they would take “coordinated enforcement action” against companies if no new agreement is found for data transfers by the end of January 2016.
And Finnish regulators already have started examining the impact of the court ruling on companies that transfer data in Finland.
Luckily, U.S. companies—whether Fortune 500 giants or small and mid-size businesses—have backup plans and options available to them. “Now companies will have to move to new legal mechanisms to transfer data to the U.S.,” says Phil Lee, head of the Fieldfisher law firm’s office in Palo Alto, Calif.
To comply with European data-transfer practices upheld by the high court, many large companies have anticipated the ruling and will keep their data in Europe, or work with European business partners already in compliance. Google, for instance, already is expanding its Europe-based data centers.
Many companies will use “model contracts,” or 10-to-20 page contracts in which businesses agree to protect data transfers and privacy similar to the Safe Harbor guidelines.
The upside to model contracts? Companies and vendors can negotiate and tailor different types of contracts, based on their business needs, legal experts say. The downside? Some contracts allow customers to audit a company, or to take legal action based on breach of contract, according to Lee. The contracts also must be revised often.
Companies also will go the “consent” route, which requires that consumers give their fully informed consent for the transfer of personal data. Other companies may transfer the personal data anonymously, which would “fall out of the scope of EU data protection laws,” according to Stegmaier.
In the end, Stegmaier says, there is no “perfect compliance” or “one size fits all.” But companies still must regularly assess the law and their data-transfer practices, plus the practices of their vendors and partners in the supply chain. If contracts are filed away and never updated, that’s an invitation to legal woes.
Proceed with caution
Aiming to help U.S. companies comply with the high court’s ruling, the European Commission said in early November that it has “stepped up its talks with the U.S. government” in hopes of forging a new agreement for “transatlantic transfers of personal data.”
Even with different legal avenues, companies should proceed carefully amid the uncertainty.
The court’s ruling “should strike fear in the hearts of compliance officers and general counsel,” says Nuala O’Connor, head of the Center for Democracy and Technology and former chief privacy officer of the U.S. Department of Homeland Security. Companies, she warns, ought to be “cautious in trying to jump to another legal vehicle right now in this time of tremendous disruption and dislocation.”
Whichever legal route they take, businesses should not panic.
“The Internet and data transfer haven’t died,” Kagan says. “But you do need to beef up your existing protections, and protect the information the best way you can.”