This is a unique moment in the privacy and data protection world.
On October 6 the European Court of Justice – the highest court in the EU – judicially invalidated our most popular data transfer mechanism, the US Safe Harbor Program that allowed organisations to transfer personal data from the EU to US companies.
This is an important development on a number of levels. While there are other legal mechanisms that allow for the transfer of personal data outside of the EU, the Safe Harbor Program, with over 4,000 companies participating, was clearly the most popular.
The effect of the court’s ruling was to immediately make data transfers under this program illegal.
While some interpret the court’s ruling as politically motivated, or as wreaking havoc on a negotiated bi-lateral agreement, I see this moment as an opportunity.
After the Snowden revelations about the NSA’s surveillance programs, our European colleagues were kind enough to enumerate 13 specific areas for improvement of the program.
To be fair, many of them were well reasoned and I was encouraged that the Department of Commerce was open to change.
In fact, at the time of the court’s ruling in the Schrems case it was reported that the negotiators were down to a final point or two, namely the right of EU citizens to have judicial redress against US companies, and indiscriminate governmental surveillance.
The court’s ruling may be just the spur to motivate the negotiators to close the gap on these last points, and I’m confident that a new understanding will emerge.
Lost in the noise surrounding the Schrems case is a nuanced and important point that it wasn’t the framework that was invalidated, just the program.
That means that it is subject to change and once the negotiated points are agreed upon, then the program may back in a new and improved form.
I am hopeful that this is exactly what will occur and if it took the European Court of Justice to help us over the finish line, then they deserve a big thank you.
Of course no one knows if Safe Harbor 2.0, as it is already being called, will indeed be born, and even if it is it may have a completely different look and feel.
My guess is that it will be and that we can anticipate more robust monitoring and enforcement, something the FTC has already begun, and something we can all get behind.
Some are also speculating that the Safe Harbor seal program, where approved third party providers do annual audits, may be a thing of the past.
Also, look for EU citizens securing better access to their personal data and an easier path to obtain judicial relief, an important and valid issue.
Finally, look for a mechanism that limits certain types of governmental surveillance.
While nobody doubts the need for governments to access data to keep citizens safe, well-reasoned policy makers also recognise the imperative to balance access to that data with citizens’ fundamental rights to privacy.
While I hope that Safe Harbor does indeed get revamped, it is wise to prepare a Plan B, just in case it doesn’t.
The Working Party 29, in response to Schrems, quickly convened and issued a statement reiterating that the present program is no longer a valid way to transfer data out of the EU, while also leaving the door open for a new and improved Safe Harbor to emerge.
However, hope is not a good strategy, so the WP29 also gave clear expectations that organisations have until January 31 2016 to put in place an alternative transfer mechanism, namely either Standard Contractual Clauses or Binding Corporate Rules, both which are already on the books as approved avenues to move data.
Implementing a Plan B, especially as we enter the end of the year, will take significant work for any company, possibly utilising outside counsel with expertise in international data transfers.
But it is an investment well worth it as it will force us all to review our data management practices to ensure that they are still world class and that we are in fact doing what we think and say we are doing.
In the end, this is no bad thing.