ECJ-Safe Harbor Trickle Down Is Already Starting
First, the European Court of Justice (ECJ) rules that the 15 year old Safe Harbor agreement which allowed companies to transfer data between the E.U. and the U.S. was invalid. Effective immediately.
Then the Article 29 Working Group (who is responsible for Safe Harbor) met and said that if the E.U. and U.S. don’t come up with a new agreement by the end of January, country data commissioners are free to start filing complaints and fining companies.
This week, the Israeli Law, Information and Technology Authority revoked its prior authorization to transfer data from Israel to the U.S. There is a somewhat strange relationship between Israel and the E.U. which sort of makes it an honorary member of the E.U. and they had been using the Safe Harbor agreement as a way to justify transferring data from Israel to the U.S. That is no more.
That means that companies that don’t have binding corporate rules or standard contract clauses that have been approved by at least two E.U. country data protection authorities (once you get to 2, you sort of have a free pass for the rest of the E.U.), can no longer transfer data between Israel and the U.S.
This means that U.S. Silicon Valley companies that have offices in Israel, Israeli companies owned by U.S. companies and Israeli companies that work closely with U.S. companies will need to figure out a new strategy or risk facing fines.
Since it can take 6-12 months to create and get approval for binding corporate rules, it is not like something you can change overnight.
Also, since the U.S. and E.U. have been working for two years on a new version of Safe Harbor which was really a minor tweak and now they likely have to reinvent Safe Harbor, I doubt it will be done by the end of January deadline.
While many very large companies were already concerned about this and have been working for a year or two to get Binding Corporate Rules or Standard Contract Clauses (like Facebook, for example) approved and in place, smaller companies likely have not done that and should now be in a full scale fire fight.
We do not now what the data protection commissioners are likely to do come February 1, 2016, but waiting to see is probably not a good strategy.
It will be interesting to see if there is other fallout before the January 31, 2016 deadline – stay tuned.
If you are a company that does transfer personally identifiable data between the U.S. and the E.U – or Israel, you should already be talking to legal counsel to see what you need to do to stay off the radar.
Information for this post came from IAPP.