A major event occurred in our area of practice last October 6, 2015: Europe highest court invalidated the international agreement that allowed companies to transfer personal data (like people’s web search histories and social media updates) between the European Union and the United States.
This decision is major as it impacts international operations of companies such as Google and Facebook, leaving them in a sort of legal limbo while waiting for a solution to allow such transfers. However, despite this invalidation, it seems that these major companies decided to continue their services working as usual, which endangers European personal data transferred to the USA.
The European Court of Justice considered that the Safe Harbor agreement was flawed because it allowed American government authorities to gain routine access to Europeans’ online information. This was notably evidenced by the leaks from Edward J. Snowden, which made it clear that American intelligence agencies had almost direct access to incoming personal data of European origin.
While data protection advocates hailed the ruling, industry executives and trade groups said the decision left a huge amount of uncertainty for companies and called on the European commission to complete a new safe harbor agreement with the United States as soon as possible.
Frans Timmermans, the first vice president for the European Commission, who will be charged with carrying out the ruling, said businesses could still transfer European data to the United States through other existing treaties.
Indeed, data transfer between the European Union and the USA can still be legally made by companies which have implemented binding corporate rules. The so-‐called “BCR” are rules which allow multinational corporations, international organizations and groups of companies to make intra-‐organizational transfers of personal data across borders in compliance with EU Data Protection Law.
Furthermore, the European Union has already crafted “model clauses” to include in contracts with partners and customers enabling them to arrange data transfers between the European Union and foreign countries.
Nevertheless, while waiting for the negotiation of a new international agreement, many companies will have a lot of work ahead, deciding whether they intend to implement BCR, add model clauses to their contracts, or selecting precisely which kinds of data transfer are critical and address those first for the wellness of their business.
Marianne Lecron
Comments are closed.