Impact of US-EU Safe Harbor Strike Down on Companies
As of October 6 2015, any operations under the US-EU Safe Harbor were declared illegal and invalid. This means that companies such as Facebook, Amazon and approximately 4700 other U.S. companies will have to find alternative methods of conducting cross-border data transfers between the United States and the European Union.
Currently, companies are required to adhere to data protection laws of different EU states before collecting and transferring any personal data. Like other alternatives, this method is more cost intensive and time intensive, each option bearings risks and problems.
What Are The Options For Affected Companies?
According to Monique Goyens, director general of the European Consumer Organization, affected companies which still wish to continue sending European personal data across borders will be obligated to guarantee required levels of protection in accordance to the EU rules.
This new process is likely to be subjected to excessive paper work, impacting the speed and efficiency of affected companies. Companies which have already drawn up their model contract clauses for example, can continue with their operations while those which haven’t may be forced to stop operations until they fulfill this requirement.
As an alternative, other companies have set up EU-based data centers while others are in the process. Google for example has already set up 4 data centers within Europe, where one of these is situated in Ireland.
Generally, there are primary and secondary alternatives that companies could consider.
According to the EU data protection laws, personal data can only be transferred to the U.S. after an individual has given his or her consent. Normally, the consent must be explicit, unambiguous, fully informed and voluntary for it to be valid.
Unfortunately, most of the European countries find it difficult to obtain valid consent due to the level required. Companies will also find it difficult to use this avenue because many EU countries have determined informed consent as inadequate to warrant transfer of employee data.
Binding Corporate Rules (BCR)
This is only an option for intragroup companies, which are EU companies that want to share personal data with U.S. companies, which belong to the same corporate group.
Although it sounds like an easy option for intragroup companies, BCR implementation is the most consuming and difficult of all Safe Harbor options. The process can take up to 18 months or more and requires a review and approval from various relevant EU regulators before enactment. Additionally, BCRs can also be challenged in a court of law, further lengthening the process.
Model Contract Clauses
To facilitate personal data protection, the European Commission approved some model contact clauses that could be included in agreements between data exporters and receivers. Companies using these clauses are advised to negotiate or renegotiate with each EU data exporter they conduct business with, to ensure that the appropriate clauses are included in their agreements.
These clauses are inflexible, therefore must be used in their original form. Another disadvantage is the fact that some EU member states require regulators to file and even approve these model clauses, further increasing the cost and time for compliance. Lastly, people could argue that the same theories used to invalidate the Safe Harbor could be used to invalidate the model contract clauses.
In November 2013, the commission, after a series of raised doubts on the credibility of the Safe Harbor released 13 recommendations for improving the Safe Harbor agreement. By the time of the nullification verdict, concerned parties were still in talks, negotiating the recommended suggestions. According to the First Vice President of the Commission, Frans Timmermans, the commission has been working with the American authorities to ensure that data transfers are safe for European citizens. Timmermans added that the ECJ verdict on the Safe Harbor was one of the reasons why the commission will continue towards a better and safer framework for personal data transfer. This is an alternative that will be ready for use in the near future and companies can only look forward to it.
Impact On Users
It is predicted that the Safe Harbor strike down impact will not be obvious to users in the short term. In theory, the termination of the agreement will ascertain that users enjoy better protection of personal information. Additionally, US government access to personal data may be restricted. All these things happen in the background therefore to the common user, life will go on as always. Only the technocrats behind the scenes will see the real tangible change.
Sites such as Facebook will not experience significant disruption to their services. However, they will not be exempted from future complaints, probes and law suits from both data regulators and users. Unfortunately for small companies which are less financially stable and technologically handicapped, the effect will be great. These companies rely on cloud services to store their data. Under the current developments, these companies will have to adhere to the current new systems and also ensure that the services they use also abide by the regulations. This means that these small businesses will greatly feel the administrative and financial burden, stifling business growth to some extent.
Do We Expect Formulation Of A New Safe Harbor Agreement?
The ECJ ruling was actually a ratification of the Advocate General’s opinion on Safe Harbor although it was not expected this early. Before the ruling, the EU and US were already in talks on how best to modify the Safe Harbor agreement, after the Snowden revelations. In an effort to ensure that EU citizens enjoy guaranteed data protection, the EU seems to tighten the noose on US using the threat of vetoing future trade agreements.
Although welcomed by most people, some analysts warned that the new ruling would hurt negotiations that would help formulate a new safe harbor agreement. Patrick Van Eecke, co-head of the global privacy practice at DLA piper, particularly praised efforts by both parties to fine tune the agreement to a workable solution but was quick to note that the ECJ ruling is likely to impede the negotiations.
Clearly, the former US-EU Safe Harbor was flawed by inadequate protection of personal data. Although currently nullified, US companies should only see this as a platform to analyze their services and build better reputation with their clients. All-inclusive negotiations will help present concerns raised by both parties and ensure that the newly formulated agreements will be convenient and appreciated by parties across the board.
Image Courtesy: taesmileland, freedigitalphotos.net