EU Ruling Means More Paperwork for Tech Firms

Big companies such as Microsoft and Salesforce had already developed a workaround in anticipation of the court ruling, adopting clauses in contracts with individual customers containing privacy guidelines set forth by the European Union. These contracts, with what is called the “EU Model Clause” allow U.S. tech companies to legally transfer customer data across European borders.

Francoise Gilbert, a partner at law firm Greenberg Traurig, LLP, said she is advising her startup clients to immediately start adopting the EU Model Clauses, among other measures, to show customers they’ve already moved beyond the Safe Harbor provisions. But these clauses have created more work and more billable hours for law firms, she says.

The model clauses run about 11 pages and contain more detailed principles and responsibilities than the general guidelines set forth under Safe Harbor rules. For example, companies that use the contracts agree to have their data transfer practices audited by a third party, said a privacy expert at a big U.S. company.

A large enterprise with a lot of legal entities might have to execute hundreds of different versions of the contracts that all essentially say the same thing, just to have its paperwork in order.

Maureen Dorney, an attorney and founder of Paradigm Counsel, said she’s been advising her startup clients for months on the likely scenario that the Safe Harbor pact gets thrown out. It’s created a massive headache for some companies, she said.

The Safe Harbor agreement dated to 2000, when the European Commission allowed U.S. companies to transfer customer data in and out of Europe, so long as they agreed to certain principles about how to protect user privacy. Companies won Safe Harbor certification by sending a form to the U.S. Department of Commerce.

With Safe Harbor, after adopting the prescribed privacy measures, “You just go on the web site and say I’m in compliance,” Ms. Dorney said.

A large enterprise with a lot of legal entities might have to execute hundreds of different versions of the contracts that all essentially say the same thing, just to have its paperwork in order.

Relieving the Burden

One option that could relieve some of the extra administrative burden, at least for large companies, is what’s known as a binding corporate rule. Under such a rule, a big multinational company would agree to define the rules around how it handles data transfers within its own group of legal entities. If European regulators approve the company’s rule, then it can at least transfer data among its own group of legal entities without as much paperwork. The rule still doesn’t apply to transferring data to other companies. And, like the model contracts, it’s still much stricter than the old Safe Harbor rules.

Ms. Gilbert said that despite the extra work created by the model clause, it hasn’t solved the underlying problem as laid out in the original 2014 lawsuit filed by Austrian privacy advocate Max Schrems, which led to the ruling. Mr. Schrems sued Facebook, claiming the company violated his privacy and argued that in the wake of revelations by National Security Agency contractor Edward Snowden about the NSA’s surveillance on foreigners and Americans, the Safe Harbor pact wasn’t sufficient to protect his personal information.

“If we now move the data under the Model Clauses, it will do the same thing. The NSA says give me the data. Nothing has changed,” said Ms. Gilbert. “What’s the point of killing Safe Harbor if you can do exactly the same thing?”

The bigger question is what a new agreement between the U.S. and E.U., to replace the Safe Harbor pact, would look like. Such an agreement has been the subject of talks for nearly two years now, well before this week’s ruling.