The European Court of Justice (ECJ) has just made the decision that the Safe Harbor Agreement between the EU and the US is invalid. Safe Harbor allows the transfer of personal data collected in the EU to companies in the US as long as these comply with the rules of the agreement. Dr Fabian Niemann from the reknowned law firm Bird&Bird explains in a brief interview, what companies who have been transferring data to the US based on Safe Harbor will now have to bear in mind.
Should those companies which have been transferring data to the US based on Safe Harbor immediately stop the transfer after this judgement?
Although the ruling of the ECJ did not grant a grace period and it applies immediately, companies should not panic and immediately cease all data transfers. Instead, they should first check which data transfers in particular are affected, evaluate alternatives and await instructions from the corresponding data protection authorities.
The legal implications of the judgement are not as clear as it might have seemed at first. Although it is obvious that data transfers based on Safe Harbor will need to be re-assessed and possibly based on other grounds, it is not foreseeable, yet, what the new framework will look like. The assessment of the new situation and the resulting consequences for companies still looks very different to individual corresponding data protection authorities in the various EU member states. Without a consistent, official position of all authorities, an immediate stop of all running transfers would not be sensible at this point. In any case, it is recommended
- not to introduce new applications relying on data transfers based on Safe Harbor,
- to follow the development and be prepared for all eventualities,
- to be especially prepared for the case that data protection authorities in individual member states might demand short-term drastic steps such as the complete stop of all data transfers, even without consent within the EU.
How high is the actual risk of direct legal consequences?
According to the unofficial statements of the corresponding authorities, the risk is currently still low. However, this can quickly change and for that reason, companies should – as mentioned above – evaluate alternative options as quickly as possible.
What implications does the judgement have on other legal frameworks of data transfer, specifically the Standard Contractual Clauses and Binding Corporate Rules?
These frameworks still apply. They are not part of the judgement. However, there is certainly a risk that these frameworks will be challenged by users, consumer associations or DPAs in front of the ECJ in the medium term.
“Digital business models, especially digital marketing, are almost unthinkable without the use of data. The judgement of the ECJ again underlines the importance of legally-compliant data usage. Data protection and privacy are no “accessory” in data-driven marketing, but they must be consistently pursued and implemented in all processes. In addition to the issue of the server location, it is particularly important to be sure how and which data is collected and processed, e.g. regarding behaviour-related user profiles or when compiling data from social media or other sources. On both sides of the Atlantic, there is a very different awareness regarding data protection requirements. Companies which have so far captured data according to the German legal requirements and the German understanding of data protection, have a clear competitive advantage. They are not only legally safer, but also score more favourably with users who are increasingly sensitised in data protection issues,” says Stefan von Lieven, CEO at artegic AG.
artegic has been certified company-wide according to the international data security standard ISO 27001 and has received multiple awards for data protection, including the ECO Internet Award for the data-privacy-compliant use of personal profiles in direct digital marketing.