What this will mean for both US and EU companies
Today thousands of potential jobs, billions in revenues and any cooperation such as medical research is put into question in a landmark decision by the Court of Justice of the European Union (CJEU) in Luxembourg. After a multi-year back and forth nail-biting legal exercise the CJEU has today ruled that the Safe Harbor data-sharing agreement between the EU and the US is invalid. It has also ruled that national supervisory authorities should be able to launch court proceedings to over-rule any data-sharing agreements between the EU and third countries.
What does that mean? The US-EU is able to transfer data through various mechanisms including an agreement called the Safe Harbor Agreement. Previously that worked well as the EU saw that it provided adequate safeguards. Today the CJEU has ruled (courtesy of PRISM and Mr. Snowden) that it does not. So whilst the transfer of data is not invalid, the process to do so has become less clear with national data protection authorities now having increased powers as a result of this decision to intervene directly.
A cloud of uncertainty has covered the EU
If you thought moving your customers’ data to the Internet/Cloud was a risky and uncertain procedure well unfortunately it just got worse. A whole new can of worms has opened up.
We hope the sober minds of the US and EU will react sensibly to resolve the many issues now being raised. The most challenging and frightening outcomes are on the table include:
- Data flows between the EU and the US could be suspended. Without a valid EU-US data transfer agreement in place, it is unclear how trans-Atlantic data transfers could continue to take place.
- Negotiations between the EU and US to review the Safe Harbour are already in an advanced position will now have to be renegotiated.
- Negotiations to complete the General Data Protection Regulation (GDPR) could be delayed.
There is also the slippery slope. The GDPR, currently being negotiated, would allow for the Commission to define a list of third countries to which data can be transferred. This judgment means that this list would not be definitive. Each of the 28 Member States and pressure groups could launch court proceedings to over-rule this list and refuse data transfers to any country it considers not to have a high enough level of protection for EU citizens. This would cause uncertainty and fragmentation for businesses.
Next steps – don’t worry the world is not doomed…
- The European Commission is in the process of renegotiating the Safe Harbor agreement with the US – since 2013 (hopefully now with a new name made of numbers that doesn’t make it a target to regulators) . Today’s decision will likely complicate the talks and an increasing of the legal bar and requirements to be considered adequate safeguards.
- We understand that the US Government’s department of commerce is preparing guidance for companies, following today’s judgment. This is expected to come out at the end of this week.
- AmCham has already issued a response to the case. We expect that many other trade associations will also be issuing statements and guidance in the coming days.
Here’s a quick update : Official European Commission Response
Key highlights: Vice-President Timmermanns said the Commission was ‘not surprised’ by the ruling, as it is very much in line with the Advocate General’s opinion issued 2 weeks ago and a validation of the Commission’s own stance with the 13 recommendations they have been negotiating with the US on Safe Harbor since 2013. He sees it as ‘neither a huge reinforcement, nor a huge blow’.
The Commissioner Jourova highlighted 3 actions:
- Safe Harbour negotiations: the European Commission will undergo is to ensure ‘sufficient’ safeguards will be met for EU citizens through stepping up and finalising its negotiations with the US on revising Safe Harbour. However, she declined to give a timeline, saying that negotiations had already been delayed past the expected deadline of summer 2015 due to national security reasons.
- Data transfers: Commissioner Jourova confirmed that EU-US data transfers cannot continue under the Safe Harbour mechanism. She said that other international data transfer mechanisms must be relied upon instead, which are provided for in the current Data Protection Directive: standard contract clauses, binding corporate rules (for intra-company transfers) and derogations such as the performance of a contract, public interest grounds (including the fight against fraud), the vital interests of the data subject, or in cases where the individual has given free and informed consent.
- Prevent uncertainty and fragmentation: The Commission will provide guidance to the National Data Protection authorities to ensure be coordinated on alternative ways for data transfer and as it applies to businesses. Information will be published on the Commission website soon. The Commission said it understands the business need for a coordinated approach to data protection in the EU, and avoiding fragmentation. They are already in ‘intensive discussions’ with national data protection supervisory authorities and the Chair of the Article 29 working party. More meetings will take place over the coming weeks.
GDPR: Commissioner Jourova said that the General Data Protection Regulation (GDPR) negotiations are still on track to be finalised by the end of the year. She said the ruling supports the regulation, as the regulation would strengthen the power of national data protection supervisory authorities.
The outcome of the case was the result of one student’s vision to taking on the US Government to prevent unlawful surveillance of personal data. BUT as Cynthia Rich, an analyst in Washington D.C., rightfully highlights in a blog that killing Safe Harbor will not have much of an impact on the surveillance rules of the US or all the other EU countries spying on foreign countries. It will however hurt the business and anything that requires international data transfers.
By the way there are benefits to the Internet!
Ever wonder how important the data flow between the US and the EU really is? The success of the Internet relies on the flow of information and data between countries. It is core to the Digital Single Market initiative to reboot Europe’s sluggish economy. While US internet companies are aggressively ramping up its storage and processing capabilities in the EU it is far from capable to take on the massive flow of data generated in the EU. For the moment the engine to really make cloud computing services as we know it work is storing and processing the data in the US. It gets worse. Cloud Computing mechanics is not clear cut to drop data in the EU and expect it provide the 99.9% reliability. Redundancy of data often means duplicating information several times around the world.
If we see companies, governments, consumers and scientists sharing information on a wide range of issues across the planet then we can start believing industry analyst figures that foresee the global cloud computing market will grow from a $40.7 billion in 2011 to $241 billion in 2020, according to Forrester Research. Cloud computing will generate nearly 14 million jobs worldwide from 2011 to 2015, according to a study by the analyst firm IDC. This is just the tip of the iceberg as tens of billions of euro in both public and private spend on medical and scientific research is made in the US and EU each year with increasing trans-Atlantic cooperation.