Following on from our successful Seminar on Data Privacy and the EU in New York in June, we have since seen the European Court of Justice declare invalid the Safe Harbor data-transfer agreement which has governed data transfer between the EU and the US for some 15 years.
Safe Harbor was enacted in 2000 to expedite the transfer of data between companies and international networks and has been used by some 4500 companies. Under the arrangement, US companies transacting business in the European Union followed one uniform set of EU privacy standards, and could transfer EU-based consumers data back to the US. It worked broadly on an assumption that if an organisation abided by the laws and regulations of one EU member state then it was being compliant with the laws of all member states.
This was challenged by Max Schrems, a 28-year old Austrian law student whose four year battle to restrict the activities of big US corporates, resulted in victory by ending Europe's Safe Harbor provisions.
It is widely thought that after the invalidation of the Safe Harbor arrangement, EU member States can now create their own privacy rules and regulations. The reality however, is that in that regard, not much has changed. Each member state has always had its own privacy rules and regulations, and the challenges of cross border data privacy have always, and still do pose a significant problem, with large fines and possible custodial sentences for breaches of those rules.
In June this year, all 28 member states of the Council of the European Union agreed to new European data protection laws that will see tough new regulations unified across the whole of the EU.
The changes will allow for a pan-European framework for privacy and the handling of European citizens' data, instead of the current scenario where data privacy is regulated by watchdogs in the country of operation within Europe such as Ireland.
It is widely thought that the abolition of Safe Harbor, simply paves the way for a smoother transition to the new European data protection laws agreed in June and due to come into effect in 2017. The Council of the European Union has already agreed that new fines for breaches of EU privacy and data protection law could be up to €1m or 2% of the company's global annual turnover. The European parliament would have them as high as €100m or 5% of turnover (whichever is higher) when the new laws come into effect.
Clearly, this will pose a significant challenge for large US operations operating in EU member states.
Altlaw currently have Data Collection teams operating in the UK, Luxembourg, France and Portugal working on urgent matters.
Where data cannot be moved, Altlaw is able to deploy mobile technology and technicians to collect, process, cull and review data within the country that it resides, thus ensuring that only data relevant to the particular action is required to be moved making the process of compliance and consent much simpler and more likely to succeed.