The EU-US Safe Harbor that governed the flow of data between the US and European Commission countries is dead, and there's no formal framework text to replace it yet. The result is a lot of legal uncertainty for many organizations when it comes to transatlantic transfers of data. It may be weeks or months before the dust settles. What do enterprises need to know now?
First, some background. On October 6, 2015, the European Court of Justice invalidated the EU-US Safe Harbor framework in the Maximilian Schrems v Data Protection Commissioner case. A couple of weeks later, the Article 29 Working Party issued a statement about the practical effects of the ruling. The group urged businesses to proceed very carefully. Then on February 2, 2016, the European Commission (EU) announced it and the US had agreed on a new framework for transatlantic data flows called the EU-US Privacy Shield, but because no text is yet available, the framework cannot be interpreted.
"We haven't seen the solution. We only heard very high-level principles by the European Commission and some data that was added by the Department of Commerce, but we need to see the actual documentation to understand exactly what this entails," said Omer Tene, VP of research and education at the International Association of Privacy Professionals (IAPP), in an interview.
It's clear that unfettered surveillance by the US is considered inconsistent with fundamental individual privacy rights of Europeans, and that opinions about where lines should be drawn differ from country to country, despite unified efforts to define what are and are not lawful transatlantic data transfers. In the interim, alternative mechanisms are available, including Standard Contractual Clauses and Binding Corporate Rules, but they are far from perfect.
"We're getting inquiries from European and US companies asking what they can do. The Article 29 Working Party said that the model clauses or the binding corporate rules are still legal, but they haven't said they're definitely going to be legal forever going forward, which puts people like me on edge," said Kenneth Mullen, a partner at law firm Withers Bergman, in an interview. "At the moment, companies are putting these alternative methods in place."
In addition, the Article 29 Working Party has strongly suggested businesses consider putting legal and technical solutions in place to further minimize risk, which some companies are doing. Others are taking a wait-and-see approach, since no one knows what the Privacy Shield will actually require until the text is available.
Here are a few things you should be aware of.