The Court of Justice of the European Union, in Luxembourg, is the EU's highest court. Credit: Court of Justice of the European Union
Tuesday's ruling that struck down the most common way to legally transfer data between Europe and the U.S. didn't turn multinational companies into outlaws immediately, but they'd better start working on alternatives now.
That's what lawyers steeped in the arcane law of international data handling said in the aftermath of the decision by the Court of Justice of the European Union.
The court said the Safe Harbor agreement that thousands of companies have relied on to move personal data across the Atlantic was invalid. In the light of revelations about U.S. National Security Agency snooping, the agreement used since 2000 isn't enough to ensure Europeans' privacy is protected if their data is stored in the U.S., the court said.
The law in this area may remain murky for months or years, but enterprises should already be looking at alternatives to Safe Harbor, the lawyers said on a conference call organized by the International Association of Privacy Professionals.
Companies that do business across the ocean and have been using the agreement in good faith will get at least a short grace period before data protection authorities start knocking on doors, said Brian Hengesbaugh, a partner at law firm Baker & McKenzie and a former member of the team that crafted the Safe Harbor agreement. Jumping on those enterprises would be considered a misuse of the enforcers' legal authority, he said.
But for some, especially big U.S. companies and service providers, the questions could come soon. It's likely they'll start getting letters from data protection authorities in European countries where they store data, asking them to explain how they are legitimizing their data transfers, said Eduardo Ustaran of the London law firm Hogan Lovells.
Lawsuits by consumers or privacy activists, like the one by Austrian citizen Max Schrems that led to Tuesday's ruling, are an even greater threat to companies that store European data in the U.S., said Christopher Kuner, senior privacy counsel at Wilson Sonsini Goodrich & Rosati in Brussels. The ruling will force data protection authorities to investigate all such claims, he said.
Enterprises already have some alternatives to Safe Harbor. The European Union's Article 29 Working Party, a data protection body, has developed so-called Binding Corporate Rules for trans-Atlantic data transfers between organizations. The EU has also crafted "model clauses" to include in contracts with partners and customers. Companies can also write their own contracts or set up agreements with multiple parties, Ustaran said.
Sign up for CIO Asia eNewsletters.