Not So Safe Harbor: With Popular Scheme Invalidated, Are You Ready?

Tuesday, October 27, 2015

When Europe’s highest court struck down an international agreement that enabled companies to legally transfer personal electronic data from Europe to the United States, it invalidated an enormously popular program used by thousands of US companies—particularly global tech giants—with business interests in Europe.

In its landmark October 6 decision in Maximillian Schrems v. Data Protection Commissioner, the European Court of Justice (ECJ) concluded that the so-called Safe Harbor framework no longer provides a justification for transfers of personal data to the United States. The ruling significantly strengthens the powers of EU data protection authorities to investigate suspected data breaches, allowing officials to suspend some or all personal data flows into the United States under certain circumstances. Individual European countries can now launch their own investigations into the handling of their citizens’ personal data by US companies. Uncertainties remain about the full ramifications of the decision, which is final and cannot be appealed. However, EU member and non-member countries are beginning to weigh in. Germany’s supervisory data protection authorities (German DPAs) have published a position paper (available in German) and recommendations on the ruling. And Israel's data protection authority, the Law, Information and Technology Authority, recently revoked its prior authorization for data transfers from Israel to the United States based on the Safe Harbor program. It is likely that other non-European DPAs will cease relying on Safe Harbor for transfers from their own jurisdictions to the United States.

What the ruling means

We invite you to read “ECJ Rules EU-US Safe Harbor Programme is Invalid,” in which Philadelphia partner Stephanie “Tess” Blair; Washington, DC, of counsel Dr. Axel Spies; and London partner Pulina Whitaker look into the broad implications of the ruling and touch on alternative compliance solutions clients may pursue.

Life Sciences Companies

The impact of the change isn’t limited to social media, Internet, cloud, and other tech companies and their ability to collect and retrieve digital data from the European Union. Life sciences companies will also need to review their strategies when importing patient data to the United States. Pulina and consultant Paul Ranson explore alternative options for life sciences companies in “International Life Sciences Data Transfers After Schrems.”

International Internal Investigations

The ruling is also likely to have far-reaching effects on how US corporations investigate allegations of wrongdoing by affiliates and subsidiaries based in Europe, including investigations of potential violations of the US Foreign Corrupt Practices Act. New York partner Martha Stolley and her team explore these issues in “Effects of Schrems Ruling on International Internal Investigations.”

We are ready to assist

Whether your concerns involve updating data transfer agreements, privacy policies, or employment agreements, or renegotiating services transactions in the wake of the ECJ’s Safe Harbor decision, our practitioners can help guide you toward the most effective, efficient solutions. We represent corporations and multinationals on various global issues, including international data protection and data transfers, privacy, technology licensing, and e-discovery.