Planning for the Post-Safe Harbor Era
The European Court of Justice’s demolition of Safe Harbor two months ago has spawned a host of data residency compliance questions from clients, former clients and prospects: What privacy and security due diligence should companies perform as they use, adopt or plan for the cloud computing services required to make their businesses operate competitively?
It is considered unlikely that there will be a replacement “blanket solution” for Safe Harbor in the next year or two, if ever. Some state of uncertainty on EU data residency requirements is likely to persist for cloud service providers (CSPs) and enterprise customers. Companies that relied exclusively on Safe Harbor in the past must now consider another legal vehicle for their transfers of personal data from the EU to the U.S. (or to other non-EU jurisdictions). The new vehicle is most likely model contracts.
So, start out by reading up on model contracts. On the Model Contracts for the transfer of personal data to third countries, the EU Commission has so far issued two sets of standard contractual clauses for transfers from data controllers to data controllers established outside the EU/EEA and one set for the transfer to processors established outside the EU/EEA.
Establishing your own model contracts based on the Commission’s language, or reviewing a CSP’s contracts for acting as your company’s personal data controller or processor is a job for the lawyers. Carrying out the data transfers and protecting the data correctly is a job for the architects and technologists.
What is the biggest risk?
Companies may prematurely make major changes to their compliance posture before receiving official guidance and waste resources. But it is also possible that individuals may approach their local EU Data Protection Authorities (DPAs) to challenge data transfers made by specific companies that have operations outside the EU, or use providers outside the EU. How likely this is probably depends on the nature of a company’s business dealings with employees and customers as well as where those people are located.
Companies that already relied on model contracts may need to review them to see if they include the personal data that was previously covered by Safe Harbor. They also need to review their third party service providers’ model contracts and get a post-Safe Harbor roadmap from the providers (e.g. Microsoft, Salesforce, etc.) for compliance. Companies also need to monitor the regulatory space closely, in case the EU Court of Justice invalidates aspects of model contract coverage in the future.
Finally, review the recommendations from my previous post to establish architecture guidelines for how to build or utilize technical solutions in the post Safe Harbor era. Personal data has been called “the new oil” of the information economy. You have to design your systems not to spill it.