When you think of the phrase “quick fix,” $1 million and 18 months aren’t exactly numbers that come to mind. Yet, in the midst of the massive uncertainty created by the European Union Court of Justice (CJEU) decision to invalidate the longstanding "Safe Harbor" agreement, many have casually suggested such costly, time consuming alternatives.
The U.S.–EU Safe Harbor agreement was developed to help companies comply with a 1995 EU law that prohibits the transfer of personal data to any country that does not provide “adequate” protections for the use of that data. Only five countries outside Europe are deemed “adequate,” with the U.S. being “adequate” only to the extent that a company is committed to the Safe Harbor obligations – a commitment overseen by the Federal Trade Commission (FTC).
On Oct. 6, the CJEU ruled that the Safe Harbor agreement is invalid because of concerns related to alleged United States national security surveillance practices. This perception may be wildly exaggerated, but the ruling nonetheless creates a huge legal gap for the 4,400 American and European companies that had relied on Safe Harbor certification to adhere to EU law.
While companies in the Safe Harbor program continue to ensure a high level of data protection for the users of their products and services, developing compliance mechanisms other than Safe Harbor cannot happen overnight. Data privacy systems are legally and technically complex, and are often developed in connection with security protocols to keep data safe and bad actors away.
One “simple solution” that many in the Commission and the European Parliament have pointed to -- Binding Corporate Rules -- can cost over $1 million to develop and take 18 months to fully implement, from development to approval. The process is so complex that only about 70 companies are currently certified. Even if Data Protection Authorities increased their approval rate tenfold, that doesn’t approach the 4,400 companies left in limbo.
Another alternative, model contract clauses, might require a reexamination of tens of thousands of transfers. Small companies will be especially hard hit. Think of the startup in Berlin analyzing third party health data with a U.S. university to create breakthrough treatments. They can’t afford legal and policy teams to review tens of thousands of new contracts and may instead lose business.
Moreover, it is not just companies that will be faced with high costs. The Data Protection Authorities themselves will be inundated with requests to examine the adequacy of various data transfer mechanisms, not just with the U.S. but globally as well. The majority of Data Protection Authorities don’t have the manpower or monetary resources to undertake the potential deluge of investigation requests.
Europeans will bear most of the costs. As Myron Brilliant, Chamber executive vice president and head of International Affairs, commented:
Too many politicians and pundits overlook the fact that the Safe Harbor Agreement is vital to the ability of European firms to conduct business across the Atlantic. Also bearing the brunt of the decision will be European consumers, who will also suffer diminished access to modern data-driven services in smaller EU markets.
In the end, the hundreds of millions of European consumers who use the Internet on a daily basis to be globally connected may be the true victims of this new – and in its own way revolutionary – approach to data protection in the Internet age.
The Commission and EU Member State Data Protection authorities must now move quickly to provide concrete guidance and a reasonable transition period to firms as they move to new mechanisms, including a revised Safe Harbor agreement that the U.S. and EU have nearly concluded.
Marie Antoinette famously once proclaimed, “Let them eat cake!” when she heard France’s citizens were starving as they had no bread. If they’re not careful, the government responses to the Safe Harbor ruling may give rise to a new version of this statement for the digital age: “Let them use other data transfer mechanisms!”