A Sea Change in Europe Leaves No Shelter in the Harbor

Editor’s note: we asked Toby Duthie and Lukas Bartusevicius of Forensic Risk Alliance to provide context on the dynamics underway in the European Union now that a court has  declared Safe Harbor invalid. Their context is below. – bg


In a landmark decision on the 6th of October, the Court of Justice of the European Union (CJEU) invalidated the EU-US Safe Harbor agreement, addressing the onslaught of concern that the agreement failed to provide adequate protections for EU citizens’ private data located in, or transferred to, the United States.

The decision means that the most commonly used data transferring method between the EU and the US – allowing for over 4000 companies to store and process data in the US – is no longer an option. The impact for companies is very significant as the CJEU ruling requires for them to obtain each EU citizen’s explicit consent before moving their personal data to the US without the customers’ explicit consent – this includes such information as their name, email or home address, employee’s HR data and health-related information or any documents containing such details. In practical terms, this has implications across Europe for the way in which hospitals, for example, store patient data, businesses archive HR information, and subsidiaries share internal and external data with their US-based parent organisations.

European Data Movement Without Safe Harbor

Businesses from all sectors will, therefore, need to move quickly to ensure they comply with local country data protection and make significant changes to the way data is collected, where it is processed, hosted, searched and reviewed. This is an increasingly difficult challenge – the global digital economy increasingly makes demands on data to be fluid and to travel freely between geographies. This is particularly so as a result of recent mainstream adoption of cloud computing, managed software services and the growing importance of ‘big data’ analysis by multinational organisations. Many of these hosted service companies may not have offered EU-based data storage and processing options; routinely shipping data to the US and other territories outside the EU for backup, archiving and processing. Further, companies using third parties to store, back up or analyse their data need to conduct assessments whether the suppliers are up to speed on the changing legislation – as they can be held accountable for their third parties’ data privacy violations.

Without Safe Harbor in place, US companies will have to be up-to-speed on the individual data protection policies in individual European countries – particularly Germany, France and Switzerland, which have the most stringent rules – especially in the context of civil and criminal investigation and litigation. Taking Germany as an example – following the CJEU decision, if or when a US-based company needs to transfer data from Germany to the US, it will have to take into account state and federal data protection laws, engage with workers and potentially their counsel, review the data in Germany, and/or ask a US court or government entity to request the documents from Germany though official processes – such as a mutual legal assistance treaty (MLAT). In France, US companies will have to consider blocking statutes – and in Switzerland the Swiss Blocking Statute and Bank Secrecy laws – before transferring data out of the country. The UK’s Data Protection Act and Italy’s Data Protection Code also make data transfers difficult and need to be adhered to on a case-by-case basis.

Implications for Cross Border eDiscovery Post-Safe Harbor

In a world without Safe Harbor, companies also need to be particularly careful when data transfer is required as part a criminal investigation, particularly if it is an eDiscovery request pertaining to a US fraud or bribery investigation. If they have not already done so, businesses will need to undertake thorough reassessments of their eDiscovery practices and consider how the data relating to the investigation is collected and where it is processed, hosted, searched and reviewed. This could cover anything from emails, documents, presentations, databases, voicemail, audio and video files, through to social media and websites.

Even when Safe Harbor was in place, FRA has always recommend that all the data collection, hosting, review and analysis needed for an eDiscovery request is performed within the relevant country using tools that allow local review and segregation of data. Now, however, it is absolutely essential.

Assuming eDiscovery is outsourced, vendor due diligence is more important than ever. Only a handful of vendors can deploy robust in-country solutions. Historically, most have shipped data to larger processing centres in the UK and the US. An experienced vendor who can work with the legal team to develop an appropriate strategy and manage data transfer risks from the outset is vital.


Once the new EU legislation is in place, the EU Council and EU Parliament will be able to enforce potentially crippling fines. It is therefore vital for companies to conduct self-assessments and ensure compliance with interim data protection legislation with individual EU countries and, longer term, make sure that they have the procedures and infrastructure in place to comply with the forthcoming EU legislation. With suggestions that the EU Council are making plans to allow fines to be imposed of up to €1 Million or 2% of global annual turnover, and for the EU Parliament to levy fines up to €100Million or 5% of global turnover, it is critical that companies act now and keep on the right side of Europe’s new data protection laws.

Leave a Reply