In the biggest fallout to date stemming from Edward Snowden’s exposure of the U.S. government’s personal data surveillance program, the Court of Justice of the European Union, on October 6, 2015, threw out a 15-year-old trans-Atlantic data transfer agreement defining the terms under which the personal data of EU citizens could be shared with companies in the United States.
The so-called “Safe Harbor” agreement is the basis for electronic consumer commerce between the U.S. and EU and affects more than 4,000 companies, including Facebook, Google and Microsoft. Since the agreement’s inception in 2000, EU regulators have raised significant concerns regarding compliance and enforcement, with the strongest criticism aimed at the self-policing certificate of compliance program.
Snowden’s revelations heightened concerns, and the situation deteriorated further in December 2013, when the U.S. government sued Microsoft to compel the software giant to turn over private emails held on a server in Ireland. The court ruled in that case that the U.S. government has the right to demand the emails of anyone in the world from any email provider headquartered in the United States. Microsoft has appealed.
Here’s what you need to know:
- The EU Court’s ruling is effective immediately, with enforcement action to begin by the end of January 2016 if no new agreement is reached.
- In the interim, personal data transfers are subject to individually negotiated “personal data transfer model contracts.” While the EU has pre-approved certain types of these contracts, exceptions apply.
- It is unclear whether such contracts will be sufficient to demonstrate that personal data is adequately protected as long as the U.S. government continues to claim the right to access any digital document stored on U.S. territory (and even beyond that, as the Microsoft case demonstrates).
- Companies may need to obtain explicit consent from EU citizens granting permission for their data to be transferred to the United States, and provide the ability to “opt out.”
- Personal data segmentation. Segmenting data into EU and non-EU categories should be an urgent priority.
- Data privacy impact assessments. These are needed to understand the extent of private data your organization holds and key privacy risk exposures.
- Model contracts for personal data transfer. Model contracts are available in two forms from the EU Commission. Consult with your legal advisers as to whether these standard contracts will cover your organizations’ specific needs.
- Establish binding rules. Needed for companies that share data internationally among internal corporate entities. Proceed with caution and consult with legal advisers.
- Assess personal data flows and encryption. Do so to ensure that personal data from EU citizens is kept within the EU. Explore EU-based data processing.
For a more robust analysis of this issue, read the Protiviti Safe Harbor Flash Report.