In a decision that created legal confusion for U.S. companies, the European Court of Justice last week struck down an agreement that allowed U.S. companies to transfer personal data collected in Europe to the United States.
Generally, European privacy laws do not allow organizations to move personal information to countries, like the United States, that European regulators have not deemed to have adequate privacy laws. The United States and the European Commission agreed to a set of “Safe Harbor” privacy principles in 2000 that allowed companies to commit to specific privacy protections that would be adequate to transfer data to the U.S.
{mosads}However, reacting to concerns about surveillance and law enforcement access to personal data following the disclosures by former National Security Agency contractor Edward Snowden, the Court of Justice has now found that the Safe Harbor program has failed to meet the standards of protection needed to justify the free transfer of European data.
As a result, the nearly 5000 companies in the Safe Harbor are scrambling to find legal mechanisms to continue to transfer data to the U.S. Left unaddressed in the current policy discussions, however, are the European companies that are also affected by the court’s decision.
The Future of Privacy Forum reported in 2014 that more than 150 European companies with U.S. divisions are in the Safe Harbor program. Among those organizations are some of Europe’s largest and most important businesses, including Bayer, Adidas, Ericsson and BMW. But legal uncertainty now strains data practices for European leaders in industries as diverse as engineering, telecommunications, software development and pharmaceuticals. These companies also now face legal risks and uncertainties. Participating firms depended on the program for their U.S. subsidiaries to effectively use data for research, improve products and serve customers, and the court’s decision affects all of these practices.
Also put at risk are Europeans who work for organizations that use the Safe Harbor agreement to process employee data in the U.S. These companies will surely find solutions to pay those employees, but simply collecting human resources data about those individual employees is now under a legal cloud, and subject to unnecessary complication and expense.
The Article 29 Working Party, in its statement on Oct. 16, declared that “Standard Contractual Clauses and Binding Corporate Rules can still be used” while the U.S. and EU are negotiating around a new Safe Harbor. However, it warned that data protection authorities can still investigate particular cases based on complaints brought by individuals.
This legal chaos now affects companies on both sides of the Atlantic. U.S. and EU policymakers and regulators need to work together to find a diplomatic solution for U.S. and EU companies, consumers and employees.
Polonetsky is executive director and co-chair of the Future of Privacy Forum. Dambrine is a legal and policy fellow at the Future of Privacy Forum.