Many merchants and eCommerce companies have been paying attention to the expected impact from the recent ECJ decision, invalidating the Safe Harbor framework as the lawful basis upon which personal data transfers between Europe and the US could take place.
Essentially, the ECJ determined that the US – EU Safe Harbor Accord does not automatically provide an adequate level of protection for personal data processed in Europe. The ECJ called upon national authorities to conduct their own assessments to determine whether Safe Harbor certifications provided an adequate level of protection and to conduct their own investigations in response to individuals’ privacy complaints.
Although it will take time for the full practical implications of the decision to be felt, it has the potential to disrupt existing global data flows, or at a minimum, add layers of complexity to corporate strategies. Because of this, companies that previously relied upon Safe Harbor to transfer data from the EU to the US should consider implementing new strategies, both to ensure compliance with the ruling and to minimize enforcement risks.
Here are five Safe Harbor suggestions for merchants to consider:
- Review data flows and prioritize remediation: Consider taking inventory of the personal data that is stored and transferred within your company and prioritize key data transfer activities which must remain intact. Focus on data transfer and storage solutions that avoid the Safe Harbor-supported pathways which are already in place, and determine which data flows can be re-routed or stored using these existing solutions and which data flows can remain within Europe or other jurisdictions deemed to have sufficient protections for personal data.
- Contract analysis and policy review: Analyze existing contracts for non-compliance with EU data protection rules, and prioritize the relationships and contracts that should be amended in order to be compliant, and/or identify alternative legal or data architecture solutions. Consider reviewing and calibrating your data processing policies and practices to ensure ongoing observance of relevant laws.
- Adopt or increase the use of Model Contracts: Model Contracts are standard clauses that have been suggested by European authorities which provide contractual language deemed compliant with data protection legislation in Europe. Putting in place Model Contracts / Intra-Group Agreements, or even outsourcing data storage and other IT operations to vendors with requisite data transfer mechanisms and safeguards can help you plug gaps and provide a legal basis for your company’s data transfers.
- Consider EU country-by-country leeway: Identify where your servers within the EU are located and determine the specific local requirements and privacy priorities of national authorities where you might be afforded greater leeway for compliance.
- Proactively reach out to DPAs and monitor consumer complaints: Engaging Data Protection Authorities to build relationships and trust, while also updating consumer complaint and redress procedures, can minimize the impact of individual issues, legal claims or enforcement actions that may otherwise arise.
To be sure, there is a lot to take into account and we certainly recommend that you work closely with your legal departments / counsel to determine the best course of action. Here at GlobalCollect, our legal department is confident that our data storage and processing activities are compliant with applicable European data protection obligations. Rest assured that we are nonetheless keeping a close eye on how this matter unfolds to ensure our continued compliance and we are happy to continue supporting you by sharing our thoughts.
To learn more, please visit the Court of Justice European Union website or contact your account manager.