By Emily Keimig
The issue of cross border data transfer—including employee data— that is.
Four years ago, Austrian law student Max Schrems attended a semester abroad study at Santa Clara University in Silicon Valley, where he heard one of Facebook’s privacy lawyers speak. In the wake of that class, Schrems launched an attack on Facebook’s data protection practices, asserting that they failed to comply with the EU’s more stringent privacy laws because among other things, they exposed those protected by such laws to the perils of Snowden-esque surveillance. Today Schrems claimed victory.
For years, U.S. companies with employees and business dealings in Europe relied upon the “Safe Harbor” agreement. Safe Harbor is an agreement between the EU and the US intended to facilitate transfer of private data (names, other identifying information, birthdate, health information, employment information and the like) between the two regions. Safe Harbor provided a means by which those companies doing business in the two regions could transfer data without risk of running afoul of the different legal requirements and frameworks of the US and the EU.
Today, the European Court of Justice (“ECJ”) ruled that Safe Harbor is invalid. While the case originally challenged practices by Facebook, the implications of the ECJ’s ruling flow not only to tech giants like Facebook and Google, but to thousands of US companies in all business sectors. Any US company that transfers personal data, including employment data, from or to a country in the EU should examine its practices and compliance strategies in light of the demise of Safe Harbor.