In this guest post, Rafi Azim-Khan, head of data privacy in Europe at legal firm Pillsbury Law, explains how the cloud provider community can side-step the European Court of Justice’s Safe Harbour verdict.
The European Court of Justice (ECJ), in response to a case brought by Austrian student, Maximilian Schrems against Ireland’s Data Protection Commissioner, has confirmed the current Safe Harbour system of data-sharing between EEA states and the US is invalid. A conclusion that looks set to have a widespread economic impact, given just how many businesses rely on Safe Harbour to transfer and handle data in the US.
The Court has ruled that Facebook should not have been allowed to save Schrems’ private data in the US and this is – essentially – a formal confirmation of what has been growing criticism of the scheme over a period of time.
The million dollar question is now: where does this leave US companies who heavily rely on Safe Harbour? And what about US cloud providers who are yet to build a European datacentre?
The facts of the matter
To re-cap, this case has arisen from proceedings before the Irish courts brought by Schrems, in which he challenged the Irish Data Protection Commissioner’s decision not to investigate claims that his personal data should have been safeguarded against security surveillance by the US intelligence services when it was in the possession of Facebook.
The claim was brought in Ireland, as Facebook’s European operations are headquartered there, but was referred up to the ECJ.
So, given the serious question marks that loom over the future of Safe Harbour and the threat of significant new fines under the imminent General Data Protection Regulation, what should US businesses, including cloud providers, look to be doing now to avoid having to process their data in the EU?
Handily, there is another legal mechanism that they can turn to.
Binding Corporate Rules (BCRs) are designed to allow multinational companies to transfer personal data from the EEA to their affiliates located outside of the EEA in a compliant manner.
BCRs are increasingly becoming a preferred option for those who have a lot of data flowing internationally and wish to demonstrate compliance, keep regulators at bay and prepare for a world without Safe Harbour.
Companies who put BCRs in place commit to certain data security and privacy standards relating to their processing activities and, once approved, the “blessed” scheme allows a safe environment within which data transfers can take place.
BCRs also have material long-term benefits in the sense that some upfront work, via preparing and submitting the application, should reduce risk of fines and undoubtedly position an applicant in line for a privacy “seal” once the new EU Data Protection Regulation is introduced.
Model contract clauses, which can also be used to “adequately safeguard” data transfers from Europe, also present themselves as a safer route to ensuring compliance compared to Safe Harbour as things stand.
However, they do have a number of drawbacks compared to BCRs, including inflexibility, large numbers of contracts being required in large organisations and the need for regular updates.
Post-Safe Harbour: Next steps
In short, any US companies, whether big brands or smaller enterprises, that have existing EU offices, customers, marketing or business partners, as well as those which are yet to build an EU datacentre, would be well advised to reassess their procedures, policies and documents regarding how they handle data.
The storm of new laws, much higher fines and enforcement, with more due shortly when the final draft of the new EU Data Protection Regulation is published, means it would be a false economy not to act now and seek advice.