A current decision of the European Court of Justice (ECJ) concerning the practice of transferring data from Europe into the USA brings many companies on both sides of the Atlantic to unrest: Many comments and publications spread the rumour that storing personal data on servers in the US is with immediate effect automatically illegitimate. However, that is not quite right. There are still many possibilities for carrying out data exports into the USA rightfully.
Do enterprises that e. g. use cloud services from US-American providers have to act quickly now and retrieve their data or that of their customers? Even if the content of the information is not really sensible? Do companies otherwise have to expect high penalties?
Single case inquiries
The decision of the European Court of Justice (ECJ) doesn't make data transfer from Europe to the United States for the more than 5000 Safe Harbor registrated companies illegitimate per se. However, the Data Protection Authorities of the member states are now empowered in single cases to examine companies that transmit data on the basis of Safe Harbor into the United States or let it being processed there. In case of offences against the law the Data Protection Authorities may prohibit the transfer of personal data into the United States with a formal prohibition order as ultima ratio.
According to some regulating authorities the decision has also consequences for the standard contractual clauses and Binding Corporate Rules (BCR) published by the EU Commission as alternative to Safe Harbor, since the ECJ judgement grounds on the fact that administrative bodies in the USA are able to take hold of any data, mainly on the basis of the Patriot Act (see the box). This is naturally also possible when data is exported into the US not on the grounds of Safe Harbor, but on the basis of other instruments such as standard contractual clauses or BCR. A further decision hereupon remains to be waited for. National and European Data Protection Authorities will play a central role in this process. According to the Hamburg Commissioner for Data Protection and Freedom of Information (HmbBfDI) it has still to be examined "if and how far data transfers into the USA are to be suspended".
New Agreement in preparation
Already since 2013 the EU and the United States are negotiating a new Safe Harbor Agreement with an eye to European standards. It therefore doesn't have to be excluded that national resp. regional European authorities agree upon a transition period in which no concrete examinations through the Country supervisory authorities and thus no prohibition notice against companies are going to take place. Corresponding agreements on a regulatory level are being expected in the next days.
A prerequisite could be that the governments agree upon a new Safe Harbor by a certain point of time. Like this the regulatory authorities would shift the pressure built up by legislation away from the companies to - at least temporary - the acting political decision makers. Substantially the upcoming negotiations between the transatlantic partners are likely to deal mainly with the access on European data on basis of the Patriot Act - besides the up to now too superficial realizations of the Safe Harbor rules and the thereby inappropriately carried out self certifications in the concerned companies.
As shown Standard Contractual Clauses or Binding Corporate Rules (BCR) can be alternatives to Safe Harbor and a legal ground for every international data flow. Even if the Hamburg Commissioner seems to see this differently, these other mechanisms have hardly lost their applicability and validity by the ECJ decision, last but not least since this ruling only dealt with Safe Harbor. The British Information Commissioner's Office for Data Protection and the Luxemburg Government, which holds also the EU presidency at present, share this opinion. Regarded logically the same argument as for Safe Harbor could be applied to these two alternatives, since the Patriot Act and other US Acts don't differentiate between the legal grounds on which data is being exported into the USA.
Couldn't you then deem any intra-European data flow to be invalid if there was any national act enabling authorities or governmental bodies in the way the Patriot Act does? If you look for example on the according UK acts they appear pretty similar to what the Patriot Act provides. Taken that, anyone believing that now BCRs are not capable of justifying transatlantic and other data flow any more must logically vote for a stop of intra-European data flow as well.
This law was enforced by the USA as consequence of the terrorist attacks on September 11th, 2001. It allows US authorities in certain cases anytime to access data of US-American companies and their customers. This applies also information stored on servers of European subsidiaries. According to many companies this counteracts the older Safe Harbor Agreement from the year 2000, which includes clearly defined safeguard measures for transferring personalized data between Europe and the USA.