Transatlantic Crash: After EU Ruling, A Patchwork of Regulations Govern Data Transfers

Photo by DaveBleasdale (Flickr/Creative Commons)

The European Union’s highest court on Tuesday morning invalidated the transatlantic pact that had governed data transfers to and from the U.S., throwing a wrench into the business of thousands of companies and creating a potential opportunity for the growing crop of data privacy and security lawyers.

More than 4,500 companies had relied on the E.U.-U.S. Safe Harbor Framework, which created a centralized set of rules for U.S. companies to follow when transferring their data across the Atlantic.

Now, individual European Union countries will be able to set their own regulations and conduct their own oversight of data transfers to the U.S., according to James Daley, senior counsel at Seyfarth Shaw, who studied the opinion.

“This vastly complicates the regulatory framework in Europe,” said Daley, adding that individual countries can choose to suspend data transfers that had been allowed under the Safe Harbor.

Hugh Logue, a legal market research analyst at Outsell, published a note predicting the judicial decision would inject new uncertainty into the business of data transfer and storage. Logue called it the “perfect” market conditions for legal service providers.

“Rarely is there an area of law that is so central to the world’s economy where there is so much uncertainty,” he wrote, adding that the complexity of such laws is not expected to decrease anytime soon.

The legal case started in 2013, shortly after the first news articles detailing mass U.S. government surveillance based on Edward Snowden’s disclosures were published. Max Schrems, an Austrian law student, who has a Facebook account, filed a complaint with the Irish Data Protection Authority — based on where Facebook has servers — that argued U.S. government surveillance had rendered U.S. data protections inadequate. After Irish data protection authorities found his complaint was precluded by the safe harbor, Schrems appealed all the way to the Court of Justice of the European Union, the top court.

He challenged the Safe Harbor Framework — which allows U.S. companies to self-certify — as a violation of his rights to privacy and personal data protection as outlined in the Charter of Fundamental Rights of the European Union, a document that all member countries must sign.

The case will be remanded back to the Irish Data Protection Authority to determine whether, in their view, Facebook adequately protects E.U. citizens data when it’s transferred to the U.S., according to Daley.

An English translation of the opinion can be found here.

Daley, who has worked on E.U. data policies for two decades and has given sworn testimony to policy makers there, said the ruling could further complicate eDiscovery that involves E.U. data; Schrems and others had been arguing that the European Commission was not pursuing violations of the Safe Harbor Framework, he said.

“Now each transfer is going to be subject to de novo [new] review by data protection authorities” in individual countries, said Daley. “And there isn’t this cloak of safe harbor to hide behind.”

John J. Rosenthal, of Winston & Strawn who specializes in eDiscovery, said that many lawyers have been faced with difficult questions already in eDiscovery: If a discovery obligation violated E.U. laws, it would mean fines and prosecution in the E.U. for their client. But not complying with discovery would mean sanctions in a U.S. court.

“Here’s what actually happens,” said Rosenthal. “A lot of people just totally disregard the E.U. and comply with their discovery obligations. I’m not advocating this – it’s just very common.”

A full list of the 4,500 U.S. organizations that self-certified under safe harbor can be found here.

Michael Vatis, a cybersecurity partner at Steptoe & Johnson, said there are alternative ways to transfer data to the U.S. and that many of the companies or law firms that relied on safe harbor have a backup plan in place.

Companies can obtain consent from a subject of the data, he said, or companies can write “binding corporate rules,” essentially internal corporate rules that the European Data Protection Authority has approved.

Some companies use model contracts, which are essentially templates with a list of rules that companies receiving data must consent to, said Daley.

Many law firms, including Gibson Dunn & Crutcher, Fenwick & West and others are listed as self-certified under safe harbor.

“They’re in the same boat as other companies that have relied on safe harbor,” said Vatis, adding many rely on an alternative data transfer method.

But he noted one difference is that law firms hold client data, in addition to internal data, and obtaining consent from a client’s customers or employees may be more difficult than obtaining consent from a law firms’ internal employees, which creates a kink.

Daley said he does not expect a legislative solution until early 2016: That’s when tri-lateral negotiations between the European Union Parliament, the European Commission and the E.U. Council are expected to wrap up on a new omnibus data law known as the General Data Protection Regulation. Even then, the bill could take years to come into effect, he said.

Still, pressure is mounting for a more immediate fix: “We are hoping for a quick political solution,” said Lisa Sotto, of Hunton & Williams, who specializes in privacy and cybersecurity. “This is a political issue, and it demands political solution.”

Blake Edwards contributed to this article.

(UPDATED: This piece has been corrected to use the proper name of the E.U. Council.)