A lot is being said about the CJEU's ruling on Safe Harbour. Without any doubt, for the privacy community this is the most important legal development since the EU Commission's announcement of a revision to the Data Protection Directive of 1995. What the Court's ruling shows us is that privacy has become a major area of law and an absolute priority in terms of compliance for any company.
Among the many issues that this decision raises, I'd like to focus on two key issues. The first is enforcement. Many companies are wondering what is the risk for them now that Safe Harbor has been pronounced invalid. As a lawyer, I believe there is no point in arguing the CJEU's ruling (click here to read our analysis of the CJEU's ruling in the Max Schrems case). Some may disagree with it, but it is now the law in Europe, and we need to accept it.
As a practitioner, however, I think we need to analyse the Court's decision in a practical and pragmatic manner. Strictly from a legal point of view, the CJEU's decision leaves no room for interpretation: Safe Harbor is invalid, and so companies can no longer rely on it to transfer their data to the U.S. But, in practical terms, it is unrealistic to think that EU companies will suddenly pull the plug and stop transferring their data to the U.S.
Technically, I'm not sure this is feasible, and, certainly, this would have a devastating effect on our economy and on the relations between the EU and the U.S. It also seems unlikely that the national data protection authorities (DPAs) will suddenly begin to investigate companies, or worse, to sanction them because they continue to transfer personal data to the U.S. Let us not forget that in many EU member states, the national DPAs have approved the transfers of data to the U.S. on the basis of Safe Harbor. In my opinion, it would make no sense, and would serve no real purpose, if the DPAs would suddenly repeal the approvals that they have granted to thousands of companies over the last 15 years.
That is not to say that the DPAs will take no action. On the contrary, there is now a high expectation for companies to reassess their data flows and, where needed, to implement new measures for transferring data outside the EU. It is also important to note that, while Safe Harbor can no longer be used as a legal basis for transferring data outside the EU, the measures that companies have put in place to comply with the Safe Harbor principles should remain valid. In the end, what really matters is whether and how companies are safeguarding the data they transfer outside the EU, regardless of the legal basis on which they rely to do so. And so, as a short-term solution, a decision from the DPAs to grant companies a grace period that would allow them to leverage the efforts they have made in the past in order to transition toward another data-transfer mechanism would certainly be welcome. At the same time, let's not be naïve. The CJEU's ruling empowers the DPAs tremendously and, once the General Data Protection Regulation (GDPR) is finally adopted, they will have unprecedented powers to investigate and sanction companies. So the clock has already begun to tick for those companies that were relying on Safe Harbor...
The second point I'd like to make is that the national DPAs have here a unique opportunity to send a clear and consistent message to the world. Some people are already commenting—rightfully so!—that there is risk that the court's decision will be interpreted differently by the DPAs in their respective jurisdictions, which would result in a patchwork of different interpretations and solutions across Europe. Well, I think the situation demands that the Article 29 Working Party adopt a common and unified position. Too often, Europe has been criticised for its lack of harmonisation and its fragmented approach to law. Now is the moment to show the world that Europe can speak in harmony. If the DPAs fail to seize this moment, the risk is that the relations between the EU and the U.S. will be significantly damaged, and this will leave literally thousands of companies in a limbo.
As for the issue regarding the disclosure of personal data to foreign authorities, which is really the pivotal issue here, the CJEU's ruling has repercussions beyond Safe Harbor because it concerns data transfers as a whole—meaning that the analysis can be applied to adequacy decisions, the EU model clauses and Binding Corporate Rules. Thus, the CJEU's decision calls for EU legislators to adopt a coherent and consistent position on this issue across the different legal frameworks that are currently being prepared: the GDPR, the "new" Safe Harbor framework and the so-called Umbrella Agreement on the transfers of personal data between the EU and the U.S. for justice and law-enforcement purposes. And so, once again, consistency seems to be the key word to ensure that a fair balance is found between the protection of the individual's privacy and the freedom to conduct business—both of which are fundamental rights under the European Charter of Fundamental Rights.
Europe may be holding the key to the future of privacy, but it needs to embrace this future with a clear, pragmatic and realistic vision. Otherwise, I fear the upcoming GDPR will fail to achieve its goal.
This article was first published in the IAPP's Europe Data Protection Digest on 9th October 2015.
Sign up to our email digest