IE_YCORP_safeharbour_A

This article was first published in the January 2016 Ireland edition of Accounting and Business magazine.

Ireland has found itself at the centre of a legal wrangle over data privacy that has left many international companies in limbo following a ruling from the European Court of Justice (ECJ).

At stake is the so-called ‘safe harbour’ agreement, which allows companies to move digital information, such as people’s social media updates and internet searches, from Europe to the US without infringing upon an individual’s right to privacy.

Many organisations – approximately 4,400 at the last count – have been taking advantage of the agreement, including Facebook, which was the subject of the initial legal moves in Ireland brought by 27-year-old Austrian student Max Schrems.

The case related to Schrems’ complaint that data was misused when the social media giant was alleged to have co-operated with the US National Security Agency’s electronic surveillance programme, Prism, as revealed by infamous whistleblower Edward Snowden.

Schrems had made his initial complaint to Ireland’s data protection commissioner (DPC) because his Facebook data was being held by an Irish subsidiary that also used servers located in the US. The DPC rejected the claim, which was then passed to the High Court of Ireland, which in turn sought a judgment from the ECJ.

In October, the ECJ ruled the safe harbour agreement, which included a series of principles concerning the protection of personal data to which US organisations could voluntarily subscribe, was invalid.

The timing is important because for two years the EU and US have been negotiating over an updated version of the safe harbour agreement, which has been in existence for 15 years, long before the explosion in social media and international interest in ‘big data’.

And yet, the social media world did not grind to a halt. At the time of the ECJ ruling, European Commission vice president Frans Timmermans said: ‘Transatlantic data flows between companies can continue using other mechanisms for international transfers of personal data available under EU data protection law.’

These mechanisms include the use of appropriate contract clauses, binding corporate rules, public interest grounds or, if there are no other grounds, individual consent.

‘Safe harbour is not the only route that you can use to transfer data out of Europe, but some alternatives just won’t cut it for certain commercial arrangements,’ says Deirdre Kilroy, head of the intellectual property and technology team at Dublin-based law firm LK Shields. ‘So many are looking to the US and the EU to agree a new version of safe harbour. But it is very difficult to reconcile the primary issues identified by the Schrems decision, so the only advice you can give your clients who are still using safe harbour is that the transfer of data overseas is not permitted.’

Non-compliance act

Kilroy observes that in any business there are ongoing requirements to give assurances that companies operate businesses, and perform contracts, in compliance with applicable laws. ‘Using safe harbour now would be an act of non-compliance,’ she says. She recommends that companies should move to one of the alternative routes available, or keep data in the European Economic Area.

In the meantime, international companies are taking steps to ensure that data collected in Europe stays in Europe. For instance, on the day of the ECJ ruling NetSuite, the US provider of cloud-based financial software, announced that it would be opening two datacentres in Europe, including one in Dublin. Although this was largely in response to growing demand for its services in Europe, the company said the move would enable its clients to store their business data physically in Europe. ‘NetSuite has always had high standards for compliance and security and the European datacentres will adhere to those standards,’ said NetSuite’s CEO Zach Nelson.

Similarly, Salesforce.com, another cloud-based software provider, has said it will open a datacentre in Germany to provide ‘a German cloud for German customers, based in Germany and run by Germans’. Microsoft has gone a step further by announcing a joint venture with Deutsche Telekom, in a belt-and-braces move to reassure Europeans that their data is safe from intrusion and surveillance.

But other companies will be looking for a swift resolution to how and when they can move data out of Europe – many rely on access to this data as part of their business. Mark Thompson, privacy practice leader at KPMG, says: ‘Global companies will be looking towards regulators for a sensible solution in the near future. There is a risk that if rules around data transfers aren’t handled pragmatically, this will result in a restriction of the flow of personal information across global organisations that could have a detrimental impact on their business models.

‘This could potentially impact global trade as organisations would likely be required to restructure business functions, outsourcing arrangements and business partnerships, and relocate IT assets to ensure processing of personal information does not take place inside the US.’ But Thompson warns: ‘For global organisations, this would be a substantial undertaking and the associated coasts and practicalities involved could be significant.’

US lawyer Brian Hengesbaugh, a privacy partner at Baker & McKenzie, agrees that the cost to business will be material. Hengesbaugh, who was one of the original architects of the safe harbour negotiations 15 years ago, adds that in the short term, the Schrems ruling will be a ‘huge headache’ for cloud providers. ‘But then they will construct premium solutions, with localised and regionalised operations,’ he says.

However, he raises the concern that US companies could be held up to higher standards in Europe under European law compared with European competitors, which will be held up against their own national standards of privacy protection, which can vary from country to country.

‘We have been negotiating over safe harbour 2.0 for two years now, and I’m hopeful we will reach an agreement by the first quarter of 2016,’ he adds.

In the meantime, the focus will fall on compliance obligations. As Stewart Room, a partner at PwC Legal, says: ‘In this new environment, the only safe harbour for business will be robust compliance mechanisms, mature assurance and sophisticated systems for fault detection and complaints handling. Weaknesses in these areas will be quickly identified during periods of intense scrutiny.’

Focus point

And Ireland will remain in the spotlight simply due to the sheer number of US technology companies with huge databases of personal data that have their headquarters within its shores. ‘Ireland is always going to be a focus point, and a lot of these companies have invested in datacentres. But our data protection commissioner has taken a pragmatic approach to Schrems, pointing companies towards alternative routes,’ says Kilroy.

Now the clock is ticking. The US and Europe have until the end of January 2016 to find a replacement for the safe harbour regime. If they have not done so by then, EU data protection authorities under the umbrella of the Article 29 Working Party – an independent body set up under Article 29 of the Data Protection Directive – have declared their commitment to taking coordinated enforcement action. In a statement, the working group said: ‘Transfers to third countries where the powers of state authorities to access information go beyond what is necessary in a democratic society will not be considered as safe destinations for transfers.’

Unfortunately, a key meeting of the Article 29 group was delayed following recent terrorist events that led to a lockdown in Brussels, which in itself will have added an additional and unwelcome dynamic to the data protection and privacy debate.

Phil Smith, freelance journalist