The highest European Union court has declared Safe Harbor invalid. Companies around the world must undertake an immediate reassessment of IT, data storage and eDiscovery policies
At the end of last year, businesses that relied on the Safe Harbor protocol to transfer data method between the EU and the US had to conduct a major review and policy shift following a landmark decision by the Court of Justice of the European Union (CJEU). It came about because, in the last quarter of 2015 the court invalidated the EU-US Safe Harbor agreement, stating that the agreement failed to provide adequate protections for EU citizens’ private data located in, or transferred to, the United States. In December the stakes were raised further when EU officials reached an agreement on a stringent new data protection regulation that will subject multinational companies to fines of up to four percent of their annual global revenue. For a company like Facebook, for example, this could mean a potential fine of somewhere close to $500 million.
The new law also requires companies to clearly explain what customer and/or HR data is being used for. For the first time, it also offers a “right to be forgotten” provided there are no legitimate grounds for retaining the data and a right to know when your data been hacked. In this instance, companies would need to notify the relevant supervisory authority of serious breaches as soon as possible so that customers and staff can take appropriate protective measures. Assuming that the law is approved by the European Parliament and each of the member countries next year, companies would have until 2018 to comply fully.
In the meantime, companies will have to move quickly to ensure they still comply with local country data protection and may need to make significant changes to the way data is collected, where it is processed, hosted, searched and reviewed. The CJEU ruling requires companies that did rely on Safe Harbor to obtain each EU citizen’s explicit consent before moving their personal data to the US. In practical terms, this has implications across Europe for the way in which businesses in the sector store customer data and archive HR information – as well as the way in which subsidiaries share internal and external data with their US-based parent organisations. Explicit customer and/or employee consent is now required for transferring name, email or home address, employee’s HR data and health-related information or any documents containing such details.
In a world without Safe Harbor, financial sector companies need to be particularly careful when data transfer is required as part a criminal investigation, particularly if it is an eDiscovery request pertaining to a US fraud or bribery investigation. If they have not already done so, businesses will need to undertake thorough reassessments of their eDiscovery practices and consider how the data relating to the investigation is collected and where it is processed, hosted, searched and reviewed. This could cover anything from emails, documents, presentations, databases, voicemail, audio and video files, through to social media and websites.
Even when Safe Harbor was in place, FRA has always recommend that all the data collection, hosting, review and analysis needed for an eDiscovery request is performed within the relevant country using tools that allow local review and segregation of data. Now, however, it is absolutely essential.
All of this means that, without Safe Harbor in place, US-based financial sector companies will have to be up-to-speed on the individual data protection policies in individual European countries – particularly Germany, France and Switzerland, which have the most stringent rules – especially in the context of civil and criminal investigation and litigation.
Once the new EU legislation is in place, the EU Council and EU Parliament will be able to enforce proposed, new potentially crippling fines. It is therefore vital for companies to conduct self-assessments and ensure compliance with interim data protection legislation with individual EU countries and, longer term, make sure that they have the procedures and infrastructure in place to comply with possible forthcoming EU legislation. It is, therefore, critical that financial sector companies act now and keep on the right side of Europe’s new data protection laws.
[su_box title=”About Toby Duthie” style=”noise” box_color=”#336588″]Toby Duthie, a co-founder of FRA and head of its London office, has more than 20 years’ experience in financial analysis, complex financial modeling, investigations and compliance reviews. Fluent in English and German, Toby has particular expertise in multi-jurisdictional investigations, anti-bribery and corruption compliance testing, and specializes in matters of government enforcement in the UK and US. As one of FRA’s founders, Toby was instrumental in developing the firm’s white-collar and regulatory defense services across Europe and has been integral in resolving such high-profile FCPA enforcement cases as Panalpina, Bonny Island LNG, and Oil-for-Food. He has worked on matters involving UK, Swiss, Dutch, and French regulators and has extensive experience calculating damages in FCPA enforcement actions. He has worked on three of the ten largest FCPA settlements.
Toby has worked on a number of complex financial frauds which have involved damages analysis and modeling in a variety of jurisdictions, including the US, Japan, Austria, and the UK. He also set up the UK’s first third party litigation funding company in 2002 (IM Litigation Management Limited) which pursued over 50 claims with over a 70% success rate. A graduate with honors from University College London, Toby worked as a steel trader in Hong Kong and in the investment banking division of Deutsche Bank/Morgan Grenfell.[/su_box]