Legal teams face new data privacy challenge

Legal teams face new data privacy challengeData privacy poses significant challenges to businesses, and is an area that has required growing attention from legal teams in recent years.

Uncertainty makes the issue even harder to deal with effectively; yet this is precisely what organisations are currently faced with, following the European Court of Justice’s (ECJ’s) decision to pass a non-binding opinion declaring that a controversial data sharing agreement between the EU and the US in invalid.

Is there a future for the ‘Safe Harbour’ agreement?

Developed back in the late 1990s, the Safe Harbour agreement was designed to streamline the process of transferring data between companies and international networks. Specifically, it allowed US companies operating within the EU to follow a single set of privacy standards, and to transfer data from EU-based customers back to servers on the other side of the Atlantic.

While this idea seems sensible in theory, it has been shrouded in controversy following revelations from former CIA employee-turned privacy whistleblower Edward Snowden.

These revelations have prompted fears that the US government has been accessing private data, provoking a growing desire for such information to be localised. Russia has already taken steps in this direction, demanding that all data on Russian citizens be stored within the country’s borders. With the ECJ’s decision, similar regulations could well be applied across Europe.

How the ECJ reached its decision

The case against Safe Harbour came about from a complaint put forward by Austrian privacy activist Max Schrems.

A number of US internet companies, including social media giant Facebook, are alleged to have shared data on European consumers with US intelligence services – a claim that Facebook refutes, insisting it did not provide “backdoor access to Facebook servers and data to intelligence agencies or governments”.

In a stern statement of intent, ECJ advocate general Yves Bot declared that governments should hold the right to stop the US from accessing EU citizen’s data if it violates European laws on data protection. Declaring the Safe Harbour agreement “invalid”, he explained: “In light of the important role played by the national authorities with regard to data protection, their powers of intervention must remain intact.”

A ‘game-changer’ for European data privacy powers?

The ECJ’s move represents a “game-changing” view on the European Commission’s power to override data privacy regulators from member states, according to Stewart Room, PwC partner and head of PwC Legal’s data privacy and protection practice.

“The advocate general takes the view that the Commission cannot bind the national regulators. In other words, the views of the member states’ regulators trump the central view of Brussels,” he said. “This presents a real threat to the Safe Harbour data transfer regime to the US.”

But what does the move mean for businesses and their legal teams? Room believes it has created a “huge amount” of uncertainty within the legal framework. “It has the potential to cause chaos in transatlantic data flows. If the Court of Justice sides with the advocate general, then multinationals will have to fully rethink their global strategies for data privacy compliance.”

Our Market Reports combine a review of the prevailing conditions in the in-house legal recruitment market with the results of a comprehensive compensation survey of lawyers registered with Barclay Simpson.ADNFCR-1684-ID-801804141-ADNFCR