Safe harbor ruling: 7 things you should do now if any personal data that your company holds might go to the US
So are you prepared to answer your CEO's questions:
"What is Safe Harbor? Why is that Snowden guy involved? And how is our company affected by the media reports that I've has just seen?"
Well s/he is right to ask as US/EU cross-border transmission of personal data has been turned on its head this week after the European Court of Justice ruled that Safe Harbor – the agreement between the US and the EU Commission to protect and transfer personal data between the EU and Safe Harbor registered US companies – is invalid.
The move brings a great number of uncertainties for in-house lawyers, not in the least as companies which rely on Safe Harbor directly or indirectly - through suppliers they depend on - might be open to any number of potential complaints and claims from EU citizens whose personal data they use (including staff, supplier and customers staff and prospective customers) as a consequence of this decision.
While it is not yet clear what the most sensible response to the decision is, there are some steps that General Counsel should be taking now as we explain below.
GCs need to act quickly to gain a clear understanding of seven key factors so they can advise their company on its position:
- The path personal data takes coming into the business and what it is used for, including personal data relating to staff, contractors, client and supplier personnel, consumer data marketing databases etc.
- The consents that are in place in respect of this personal data – whether they are current, effective, not opted out of, and include an explicit US transfer and processing entitlement.
- The systems software and hardware that both the data sit on and move through to be used by your company.
- The extent that the software and hardware is subcontracted and whether that hardware and/or software is located in the US or owned by, or controlled by companies that are located there. Things to bear in mind are your accounting, CRM, procurement, HR software, cloud hosting, online marketing and client data collection.
- The due diligence you have done on these suppliers and how recently it was done. Are you comfortable that they contractually and in reality meet EU data privacy standards without the benefit of Safe Harbor?
- The exit, break, force majeure and compensation provisions in those contracts where there is a concern.
- The next best alterative (alternative supplier, changed process, new contractual arrangements, stopping doing something etc) for each "problem supply" to continue as you are.
There is a lot to do here and if you are on top of it already, great. If not - then it should be an urgent priority for your legal resources and budget.
We are all likely to be in uncharted and treacherous waters for some time to come so it is important to be as prepared as you can be as few businesses can operate without personal data.
We also need to be armed with the facts - so that you can explain them to your CEO. For more on the facts, please read EU declares 'safe harbor' data transfer agreement invalid.