Advice from BIIA member Forrester Research: Don’t Panic; You Can Help Your US Digital Business Continue Handling EU Customer Data
Despite the tough stand the court has taken, and the media headlines, this ruling doesn’t mean that companies can no longer use Safe Harbor to transfer data across the Atlantic. However, the judgment does have significant consequences, as it:
- Extends the scrutiny of the EU into US business practices. EU national data protection authorities (DPAs) can assess each single transfer of EU citizens’ data to the US whenever a claim is brought to the attention of the DPA. This means that even those businesses that comply with the scheme can be subject to investigation whenever an EU DPA considers it appropriate to do so. And these investigations can be started and carried out without any direct involvement of the FTC, which might also run parallel actions.
- Grants the EU the power to stop any business from transferring EU data at any time. As the ECJ has declared the Safe Harbor agreement invalid, any DPA can now effectively impede businesses from transferring EU citizens’ data to the US. The implications of this decision can be massive for any business operating across the two jurisdictions. The number of firms that can store and/or process EU data locally is very limited, making their business exclusively dependent on the ability to transfer to the other side of the Atlantic.
- Opens the door to legal bottlenecks and endless disputes. The ECJ charged DPAs with an additional cumbersome task. The time and resources necessary to assess data transfers on a caseby- case basis are relevant. The judgment can, in practice, paralyze the activity of the DPAs and engage businesses in endless legal battles. Consumers might feel stronger against big tech giants abusing their privacy, but, in reality, the legal bottleneck that this judgment creates could make them worse off as DPAs will need to devote a great deal of existing resources to deal with this new task.
- Provides incentive for inversion deals and acquisitions. Think of it as privacy arbitrage. In a privacy inversion deal, it’s conceivable that a US-based company merges with an EU-based company and moves its entire customer data center operations to Europe. Since Safe Harbor rules only apply to European citizens, the company would meet EU Safe Harbor rules for EU citizens and could still share US customer data back and forth across the Atlantic as needed. This alone would not be the sole justification for a merger. Yet, as companies almost always look to exploit regulatory differences, it’s an added benefit to such an action. Alternatively, marketing vendors may then scoop up EU-based marketing tech and agency firms to service their multinational clients.
We recommend to read the entire report: Quick_Take_European_Court
Source: Forrester Research Report, Complimentary Copy for BIIA Members