Safe Harbor Is Invalid. What Should You Do Next?
By Daniel L. Farris
In the days since the CJEU issued its decision invalidating Safe Harbor, many US companies have struggled to understand what the decision means for them. Confusion and anxiety characterized many initial reactions, while others in Europe heralded the decision as long overdue. To aid the formerly-Safe Harbor certified in figuring out where to go next, we humbly offer the following suggestions.
Understand the Decision
First, respect the decision for its important legal significance. Safe Harbor, as a means of transferring data between the EU and US, is dead. This leaves thousands of companies who have relied on Safe Harbor for the last 15 years in a state of abrupt non-compliance. The CJEU’s decision also creates greater uncertainty for inter-company agreements and BCRs as long-term alternatives to Safe Harbor.
If Safe Harbor is invalid on the basis that data residing on US servers is freely accessible by the NSA, then one wonders how inter-company agreements or BCRs could provide adequate protection. Nonetheless, those methods of transatlantic data transfer are still technically valid, and DPAs are being careful in the wake of the CJEU’s decision not to call them into question.
Keep Calm and Carry On
Next, don’t pull the plug. Some initial reactions to the CJEU decision questioned whether companies should suspend the transmission of personal data from the EU to the US, or, alternatively, whether data centers should be relocated to the EU. Drastic changes to any current practices could have devastating effects for both an organization and, collectively, the economies of the EU and the US. While Safe Harbor is unquestionably invalid, it is difficult to imagine that member state DPAs will immediately engage in aggressive enforcement campaigns. Even if a DPA wanted to initiate more investigations, it is unclear that any DPA has the excess capacity, let alone political capital, to do so.
That is not to say that there will be no new enforcement. Companies should expect increased scrutiny. DPAs will simply have to prioritize the issues and organizations that are most relevant to their particular privacy expectations. Which leads us to our next point…
Get Your House in Order and Make a Plan
US companies are experiencing something of a reprieve at the moment, as all of Europe figures out how to react to the CJEU decision. Use this time to get your house in order. That is likely to mean engaging in one or more new compliance plans.
First, review your existing policies and ensure they incorporate the seven Safe Harbor Principles and comply with the Directive itself as much as possible. Once you have completed a policy review and made any necessary changes, be sure to track and assess actual data flows to ensure your business practices align with written policies.
Second, evaluate the alternatives available to you, choose one, and begin to pursue it. Whether contractual protections or BCRs are preferable will depend on a number of factors unique to your organization. While the long-term validity of these alternatives may be in question, they undoubtedly offer short-term cover in the event of increased scrutiny from the DPAs. Think of it this way: in responding to a compliance investigation, would you rather be able to demonstrate attempts at compliance, even if you are technically non-compliant, or would you rather have to respond that you simply did nothing because no clear path to compliance was identified?
Finally, keep an eye on events as they continue to develop. Whether the individual DPAs will all adopt the CJEU opinion consistently, or whether fractures will emerge in regulation and enforcement is still an open question. How DPAs will enforce data protection laws, and the degree of leniency that may be afforded, are also still to be determined. It seems clearer, however, that DPAs have been empowered significantly by the CJEU decision, and the compliance risks to US companies has increased. Once the General Data Protection Regulation is adopted, and penalties increase to a cap of 100 million Euros or 5% of global turnover, whichever is higher, DPAs will have extraordinary power to investigate and sanction companies that do not adequately safeguard personal data.
For assistance in understanding how the ECJ Decision may affect your company, auditing privacy and data security compliance programs, drafting model agreements, or preparing Binding Corporate Rules, please contact the author or a Polsinelli Privacy and Data Security team member.