The ability of companies to easily transfer personal data between Europe and the US has been thrown into doubt by a recent European Court of Justice (ECJ) ruling that threatens to disrupt transatlantic data traffic and cause problems for IT software and services providers.
Internet companies including Facebook, Google and Yahoo are among the companies likely to be impacted hardest by the ruling although, at least for the moment, most of SAP’s customers will not be affected because they have generally not relied on the ‘Safe Harbor’ provisions outlawed by the Court.
The EJC ruled that the 15-year-old ‘Safe Harbor’ agreement, under which companies have been able to transfer personal data between Europe and 11 other countries including the US (without prior approval by Data Protection Authorities), was invalid because it prevented European data protection agencies from intervening to protect citizens who claimed their right of self-determination and privacy had been breached.
The ruling, handed down by the EJC on October 6 its judgment in the case of Maximillian Schrems vs. the Irish Data Protection Commission, follows revelations two years ago by Edward Snowden about widespread US data surveillance and could have far reaching consequences.
“The ruling confirms that the right of self-determination and privacy of an individual remains inviolable. It is very likely to have a significant impact on data transfers between the member states of the European Union/European Economic Area (“EU/EEA”) and the United States of America and potentially also between the EU and other countries,” says Mathias Cellarius, (SAP Data Protection and Privacy Officer). “It further generally strengthens the position of the local data protection authorities in the EU to independently audit the legitimate basis of data transfers on an individual case.”
In the wake of the Court ruling, the European Data Protection Authorities said that they will no longer accept data transfers based on Safe Harbor and called for the negotiation of a new agreement that would meet the ECJ requirements. (SAP is viewed as a trusted advisor by all parties in the current negotiations.)
As a general practice, SAP has not relied on Safe Harbor for data transfers to the U.S, but instead has made use of the approved and stricter Standard Contractual Clauses (aka EU Model Clauses) issued by the EU Commission.
A few legacy customers of companies acquired by SAP in recent years are, however, covered by Safe Harbor agreements. “Of course, SAP is prepared to work with its customers to amend their legacy agreements to the SAP standards – which are based on the Standard Contractual Clauses, if applicable,” says Mathias.
“Under these circumstances, every company has to make sure that they are in line with the existing law and to make necessary amendments where appropriate,” he says.
But operating under Standard Contractual Clauses may provide short term protection only, since they are also subject to legal review as an overall consequence of the ruling of the decision of the EJC. The EU data protection authorities themselves have said they will only accept them until sometime in January 2016. What happens beyond that period is uncertain.
One option for companies operating in Europe is to store and process the personal data of European citizens locally. Anticipating this requirement, SAP launched a unique opt-in support service for its EU-based customers in July called ‘EU Access from SAP’.
“This new service enables customers to have their data hosted, processed in data centers located within the European Union, the European Economic Area and Switzerland and furthermore remote access is restricted to resources located in the aforementioned areas only,” explains Cellarius. “As a result, European customers can avoid any uncertainties around international data transfers which the ECJ ruling has created.”
EU Access from SAP is already available for on premise systems and a growing number of SAP cloud services (SaaS others) – providing SAP’s customers with a key advantage over competitors.
Safe Harbor II
Meanwhile, EU and US trade negotiators are now trying to formulate a new comprehensive ‘Safe Harbor II’ agreement that would comply with the ECJ ruling and avert the danger that Europe ends up with a patchwork of incompatible local regulations.
Even if a new agreement emerges, the current Standard Contractual Clauses will still need to be adjusted to comply with the EJC ruling. Butwithout such an agreement, some commentators warn that Europe risks becoming isolated and that global trade could suffer.
“We don’t want any isolation of Europe or the US or other territories,” says Mathias. “We operate in a global market and we believe the free and secure data flow among Europe, the US and other regions is essential for the success of data-based business models and is important to remain competitive and to create jobs.”
Whatever the outcome of the current negotiations will be, industry experts argue that it is important that the current uncertainty is resolved quickly and that companies have enough time to undertake an orderly transition from the old Safe Harbor provision to whatever replaces them.