Special report: Confusion reigns in wake of safe harbor ruling

More than 4,400 companies find themselves in digital limbo.

October 6 marked the end of a 15-year-long era and the start of a realm of legal uncertainty and potential Internet fragmentation.

The European Court of Justice ruled the so-called safe harbor agreement between the United States and the European Union was invalid, forcing more than 4,400 companies, including Facebook and Adobe, to find alternative ways to transfer personal data across the Atlantic.

By signing the transatlantic data transfer agreement, U.S. companies self-certified they adhered to EU’s data protection standards. By invalidating the pact, the ECJ stated they in fact did not.

The decision could also have implications for the 11 other data transfer agreements the EU has with countries such as Canada or Israel: They too could be invalidated if EU citizens were to complain. Besides, some EU countries, especially France and the U.K., have surveillance programs resembling those in the U.S., so local laws could now also be challenged.

“Companies are now left with not a lot of other alternatives. The fact that authorities have pronounced themselves but not with clarity is also a problem,” said Monika Kuschewsky, a data protection lawyer in the Brussels office of Covington & Burling.

The EU and the U.S. are currently renegotiating new terms to try and agree rapidly on a “safer, safe harbor.” Justice Commissioner Věra Jourová will fly to Washington in mid-November to discuss the next steps with U.S. Commerce Secretary Penny Pritzker.

But if no appropriate agreement with the U.S. has been reached by January, the EU national data protection authorities, which have been empowered by the Court’s decision, threaten to take “coordinated enforcement actions.”

In the meantime, many companies are unsure how to cope with the fallout of the judgement.

After the ruling, accusations of protectionism against the invalidation were quick to rise on both sides of the Atlantic. The White House was “disappointed” and worried about the economic consequences while Chris Sherwood, head of public policy for Poland-based Allegro viewed the ruling as “the latest chapter in a long series of attacks on the U.S. by European politicians.”

The European Commission also suffered collateral damage to its credibility. It had been defending the safe harbor pact, despite the fact the court said it did not meet the standards of its own data retention directive.

Click Here: Cheap Chiefs Rugby Jersey 2019

On the other hand, the ruling was perceived as a win for civil liberty activists and praised on Twitter by Edward Snowden himself.

That is partly why data protection advocates are pessimistic about a safe harbor 2.0 without consequential changes in American law to give Europeans greater protection.

“There cannot be a ‘safe harbor-plus’ in this legal environment,” said Jan Philipp Albrecht, a Green member of the European Parliament and vice-chairman of the Parliament’s civil liberties committee.

But the U.S. legal environment could be changing. Last week, the House of Representatives approved the Judicial Redress Act, a bill aimed at extending privacy rights to citizens of major U.S. allies. The Act now moves to the Senate.

In any case, a new legal framework has to be fashioned quickly because data transfers have no legal protection and there was no grace period for firms to implement new mechanisms.

Both EU and U.S. officials are accusing the other side of not appreciating the urgency of the situation for businesses.

Digital Commissioner Günther Oettinger said last week the EU was willing to reach an agreement as soon as possible, adding, “I’m not sure our American partners are willing to accept all the obligations from the European court.”

The day after, Commerce Secretary Pritzker said the Commission did not “seem to share as much urgency as we do.”

Meanwhile, most companies are in the dark.

More than two weeks after the ruling, Autodesk’s spokesperson said in an email the software company is still “awaiting additional guidance from European regulators on how the court’s ruling will be implemented.” For now, Autodesk “continues to comply with the previous safe harbor principles.”

Moreover, companies that relied solely on the annulled agreement to transfer data could face legal action.

Tech industry groups met with key commissioners on October 14 and urged them to make sure national data protection authorities in member countries implement the judgement consistently.

Giants such as Airbnb or Facebook said they will not be significantly impacted by the ruling because they rely on other legislative mechanisms.

For many other smaller companies however, the court’s decision came as a shock. “I was not even aware that it was happening,” said Paul McClanahan, founding partner of the Boston Research Group on the day of the ruling.

This week, Germany’s data protection authorities stopped authorizing applications for data transfers to the U.S.. The move breaks rank with other EU data protection authorities and leaves companies in Germany almost no legal mechanisms to export data to the U.S..
Regulators also said they would prohibit all data transfers they learn about that still rely on safe harbor alone.

Data protection agencies were empowered by the ruling, which stemmed from the case of Austrian law student-turned-data-protection activist Max Schrems, who unsuccessfully tried to get the Irish data protection commissioner to investigate the transfer of his personal Facebook data to the U.S. after the Snowden revelations in 2013.

Last week, an Irish high court said the country’s data protection authority was obliged to investigate Facebook’s data transfers to the U.S..

“At least [the Irish regulator] has to pretend to do something now,” Schrems said.