In the wake of last week’s bombshell decision by the European Court of Justice (ECJ) to invalidate EU-US Safe Harbor, many organizations are scrambling to take immediate steps to limit their risk. While the ECJ decision takes effect immediately, it is extremely unclear how cross-Atlantic data transfers will be governed without Safe Harbor.
The initial advice from many regulators and law firms is for data exporters and importers to immediately adopt “Model Clauses” that have been approved by the European Commission for data transfer. In fact, on the morning of the Safe Harbor announcement numerous cloud providers issued addendums to their contracts including EU contractual clauses.
Now that Model Clauses are essentially required, it raises many questions: will they be effective, will they improve enforcement, and will they ultimately force organizations to improve their data security.
There is no doubt that Safe Harbor was flimsy and overdue for an overhaul. Its self-certification requirements could easily be abused, and EU citizens were given no legal recourse to challenge how their data was handled in the US. If we use the analogy of the Three Little Pigs, Safe Harbor was definitely a house of straw. But stretching my analogy, one can argue that Model Clauses are a house of sticks – definitely an upgrade, but hardly adequate when the data stealing wolves show up.
A core problem is that without Safe Harbor, anyone touching an EU citizen’s data is subject to a fragmented legal system with different Data Protection Authorities (DPAs) in each of the 28 EU countries. The biggest challenge with the Model Clauses is jurisdiction. They make it explicit that each DPA has authority to interpret and enforce data protection laws for their respective citizens. While this is logical it’s also completely impractical for most multi-national organizations. According to a blog from the UK law firm Field Fisher:
“Model Clauses neither provide the protection for data that customers and regulators think they do, nor are they actually complied with in practice – more often than not, they’re signed, put in a drawer and forgotten about. For data importing vendors, they are also woefully impractical – containing subcontracting controls that are unrealistic, excessive audit rights, and no liability limitations.”
There is no simple solution to this legal morass, and it will take months, if not years, to sort out. But there is a technical solution to reduce the risk of international legal entanglements – protect sensitive data to minimize the amount of private information that leaves your country. Anonymizing data before it leaves your control through encryption or tokenization continues to be a robust and legally supported solution. Multiple legal experts recommend anonymization of personal data as part of a post-Safe Harbor strategy including the international law firm Goodwin Proctor:
“If companies can rely on anonymous data instead of transferring actual personal data, that data would fall out of the scope of EU data protection laws.”
Check out our Global Compliance Center to learn more: