Assessing the Impact on International Corporate Data Transfers
Dino E. Medina, Esq.
General Counsel, CDS
In early October 2015, the Court of Justice of the European Union (CJEU) ruled that the U.S.-E.U. Safe Harbor program—created pursuant to European Commission Decision 2000/520/EC—is invalid because it does not allow individual E.U. member states to determine whether the program provides an adequate level of protection for E.U. citizens’ personal data. The decision in this case (Schrems v. Data Protection Commissioner, Case C 362/14) was fueled by Edward Snowden’s statements about NSA surveillance activities in the U.S. Since this is the highest court in the E.U., its ruling is binding on all E.U. member states and cannot be appealed.
For the past fifteen years, transnational companies including CDS used the Safe Harbor framework as a streamlined, cost-effective means to transfer data from the E.U. to the U.S. without violating the E.U.’s data privacy law, Directive 95/46/EC. It is important to note that, although the framework has been invalidated, there are still Directive- compliant modes of transporting data across E.U. borders and into the U.S.
- Ongoing discussions – CDS understands that Department of Commerce (DOC)/E.U. negotiations are ongoing, and the deadline for reaching a new agreement is January 31, 2016. In the interim, the DOC continues to administer the Safe Harbor program and will likely provide direction to affected U.S. entities in the upcoming weeks.
- Dispelling rumors – To date, there has been much public commentary on the CJEU’s ruling suggesting that transfers of personal data from the E.U. to the U.S. must cease immediately, and that all E.U. data currently in the U.S. under the Safe Harbor framework remains in-country illegally. Neither scenario is true.
- Nation-specific DPAs – Data Protection Authorities (DPAs) of each E.U. member state may now determine on their own whether Safe Harbor-based data transfers offer an adequate level of protection. If a particular DPA finds it does not, then the DPA is free to suspend such transfers from its jurisdiction.
- Data currently in the U.S. – The CJEU did NOT require any specific steps be taken with respect to data currently in the U.S. pursuant to Safe Harbor. However, should the DOC and E.U. not agree to a new Safe Harbor framework by the end of January 2016, DPAs will likely begin to take enforcement actions.
There are other mechanisms available for cross-border data transfers.
- A Data Transfer Agreement with Model Contract Clauses can be used to establish the requirements for data transfers between companies and third-party vendors.
- Companies can develop Binding Corporate Rules for intracompany data transfers made transnationally, which require DPA approval for the respective E.U. member state.
CDS will consider these mechanisms on a case-by-case basis and will leverage its full service, London-based data center to maintain data within E.U. borders whenever possible.
Complete Discovery Source (CDS) is a leading eDiscovery company, providing litigation technology and hosting, advisory services, and managed services to support complex discovery matters. CDS is the first choice of the Am Law 100 and Fortune 500 and is recognized as Best in End-to-End eDiscovery by the National Law Journal and New York Law Journal. With a team of seasoned legal experts and technicians, CDS uses advanced, tested, and defensible services and software to support all stages and types of eDiscovery. Supporting a number of eDiscovery tools, CDS is an Orange-Level Best-in-Service Relativity® Provider and provides one of the largest and highest volume footprints delivering that platform. CDS is headquartered in New York with regional offices in Chicago and Washington DC. The company maintains highly secure ISO 27001 certified hosting and SSAE 16 SOC 1 Type 2 audited data centers in the US and Europe. Complete Discovery Source, Inc. is not a law firm and does not provide legal representation or advice to its clients. We urge you to obtain legal counsel before taking any actions which may have legal consequences.