Data sharing is at the heart of how we do business today. We’ve come to expect that we can easily collaborate with co-workers, customers, vendors, etc. across the globe, on our own terms, with plenty of resources at our fingertips to facilitate our needs. It’s something we take for granted — we don’t even think about it, we just do it. Privacy and security have created a few obstacles over the years, especially since the U.S. does not have broad federal privacy laws to comply with, but Safe Harbor has traditionally served as a framework for how we handle data – until now.
Last week, the European courts ruled the 15-year-old Safe Harbor pact is now invalid, citing that it violates privacy rights. This has a direct impact on U.S. companies and how they operate overseas.
The court’s decision was based on the case of an Austrian named Max Schrems that involved Facebook’s transfer of data from Ireland to the U.S. Under today’s decision, transfers to U.S.-based businesses under Safe Harbor are no longer valid. If we put that ruling into context, currently over 4,000 businesses rely on Safe Harbor today – and are impacted by this decision. This means that without alternative legal solutions in place, any business that sends data to the U.S. from the EU risks fines or orders to suspend transfers.
Faced with the fact that collaboration with EU-based organizations has come to an abrupt halt for those companies relying solely on Safe Harbor, all organizations are left wondering what to do next. Some companies might even be unaware they are violating the ruling, especially if they are relying on cloud-based services where data can be stored in any number of locations and by a number of different subcontractors.
Without Safe Harbor, alternatives for protection at the moment include EU model contract clauses and binding corporate rules (BCRs), although the latter involve a sometimes lengthy approval process by European regulators. Many businesses, anticipating the legal issues with Safe Harbor, have already been using model clauses as a method for carrying out international data transfers.
At a minimum, businesses should begin to make an assessment of other options. Look at data flows. Assess scale and sensitivity of information that needs to be shared. Look at existing contracts with cloud vendors – they might already include the use of model clauses. If they do not, try to find one that does, or modify your existing agreements. If you don’t use a vendor, see if you can obtain consent for data export from the appropriate parties to reduce workflow interruptions while seeking a longer-term solution. As part of your assessment, call your data privacy lawyer to make sure you have covered every angle. For example, if you have multiple subsidiaries all sending data outside of Europe, you may need multiple model clauses, which can create contractual complexities.
While the immediate concerns have IT and legal teams scrambling, it’s important to recognize that this is not just an IT and legal issue. The executive team needs to take ownership and use a top-down approach to help prepare the company for the future. To stay ahead of the curve as data sovereignty evolves, consider adding a Chief Privacy Officer to the executive team. Addressing the issues of data privacy and data protection will require specialized knowledge and full-time attention to handle future regulations that will inevitably be put in place across the globe as other regions follow the EU’s lead.
For example, the U.S. has been in discussions with the EU since 2013 trying to come to terms on Safe Harbor 2.0. The ruling was most likely part of a political play, or at least welcome by those looking to bring EU legal demands into sharp focus, and should certainly accelerate negotiations. However, we’ll continue to see fundamental tension between the ongoing battle of U.S. national security interest versus the EU’s protection of the individual’s right to privacy and the handling of their personal data.
The stakes are high and data sharing should no longer be taken for granted. Companies and their cloud providers are more responsible than ever for their data sovereignty, and there is no one to point the finger at but themselves if they face consequences from ignoring or abusing data processes.
Scott Semel is executive vice president and general counsel at Intralinks.