US Companies Face Exposure Following EU Rulings on Data Privacy-EU Imposes January 2016 Deadline
Finding that the US cannot assure an adequate level of data protection to EU residents, the European Union’s Court of Justice invalidated the 15 year old “Safe Harbor” agreement negotiated by the EU and US. Thousands of US companies presently rely on this agreement for compliance with European privacy laws which allows them to transfer personal data from Europe to the US in a manner that is deemed to be legal. Just two weeks later on, October 16, 2015, the EU’s Data Protection Authorities issued a deadline of January 2016 for an “appropriate solution” to be reached with the US or companies may be subject to “coordinated enforcement actions” by the EU.
Up to now, the agreement permitted US companies to ‘self-certify’ that their internal safeguards satisfy the EU requirements for data security. The recent ruling, and the new deadline, should have corporate counsel, as well as IT departments and CIOs urgently reviewing current policies and considering how best to address compliance issues.
While the claims in the underlying case itself are referred back to the Irish trial court, the larger fallout involves the question as to how US companies may continue to store data on EU companies and individuals. The EU Court has suggested that “data protection regulators” in each of the EU’s 28 member nations should have oversight as to how US companies collect and store data of their citizens. This prospect could have profound effects on US companies, given the differing standards of privacy throughout the EU member nations. While the European Commission has suggested alternatives to transfers of data to US-based servers, such as direct consent or individual contracts, these solutions will likely be unwieldly given the sheer number of end users involved. Also, while other treaties exist that may allow US companies to continue to transfer data, it is unsettled as to whether these safeguards can insulate US companies from exposure to complaints and litigation from EU residents, EU member governments and privacy watchdog groups.
This issue will remain unsettled for the foreseeable future, given that a new Safe Harbor type agreement is far from complete yet the January 2016 deadline is looming. So, companies looking to minimize their exposure need to develop interim plans. The following are questions that should factor into those plans.
- Does my organization house data for EU users on EU-based servers? If not, have my users been notified that their data is housed on US-based server?
- Do I know what data my organizations houses “off shore”? This includes email server databased, SharePoint servers and file servers.
- How is my Cloud infrastructure configured? Do I have a U.S. and an E.U. Cloud? Does my organization have policies in place that define which user data is stored in which Cloud geographic location?
- Do I have email hosted by Microsoft Office 365? Where is that data physically located?
- Do I know where and how corporate email is archived? Is it in one location (U.S. or E.U.) or is it distributed (multiple archives in different geographic locations)? Do I have policies in place that control the access of my E.U—based archives by U.S.-based humans or applications?
As the industry leader in email archive migrations, Archive360 has extensive experience of assisting corporations in migrating custodial data (both active and archived) to new locations, in compliance with EU privacy laws.
 See, Press Release No. 117/15 from EU Court of Justice released in Luxembourg, 6 October 2015. Case is C-362/14, Maximillian Schrems v. Data Prot. Comm’r (E.C.J. 2015)The Agreement can be found in Federal Register Volume 65, Issue 142 (July 24, 2000).
 See, Statement of the Article 29 Working Party; Brussels, 16 October 2015. http://ec.europa.eu/justice/data-protection/article-29/index_en.htm
. See EU’s 1998 Data Protection Directive