New Transatlantic Data Privacy Law on Horizon


A new transatlantic data privacy law impacting thousands of American companies is on the horizon and even more significant in the wake of the monumental Schrems v. Ireland ruling, the European Commission’s top official on privacy issues said during an October 18 panel at Fordham Law School.

The European Court of Justice’s ruling in October struck down the 15-year-old transatlantic “Safe Harbor” agreement on data privacy, finding that the European Commission failed to assess if American companies such as Facebook were able to adequately protect data on European citizens from American government surveillance in light of the Edward Snowden revelations on the NSA.

With no European level transatlantic agreement in place, the Court noted that each European country must evaluate whether companies storing and transmitting data to the United States are able to provide adequate privacy protection. Such a nation-by-nation regulatory process would make data storage and transfer costlier and more onerous for the 4,500 American companies who followed Safe Harbor, data privacy experts said during the panel titled “U.S. and Europe at a Privacy Crossroads.”

Paul Nemitz, the director of Fundamental Rights and Citizenship in DG Justice for the European Commission, expressed optimism that a new agreement, nicknamed Safe Harbor 2.0, would be adopted by the United States and the European Union in the near future, assuaging concerns on both sides of the Atlantic about data privacy. Nemitz shared his thoughts with moderator Joel Reidenberg, the Stanley D. and Nikki Waxberg Chair in Law and Founding Academic Director for the Center on Law and Information Policy (CLIP) at Fordham Law School.

“We are determined to come to a successful agreement by the end of January,” Nemitz said. “It is clear we want to provide the basis for easy data flow between the U.S. and Europe.”

The arrangement must be a bulletproof one, Nemitz continued, expressing the adage it takes two to tango with regard to the U.S. and Europe’s discussions on transatlantic privacy. He described the bar for such an agreement as “very high.”

In speaking about the proposed reform of EU data protection law, known as the “General Data Protection Regulation”, Nemitz praised the new “one-stop-shop” approach that will increase data protection efficiency, eliminating the need to comply with up to 28 different countries’ laws and providing a single point of contact for U.S. companies.

“We want to see the growth of the digital economy,” he assured, noting people must trust their data is being protected for this to happen.

The problem, he conceded, is the transition to the new European law will take two years.

Schrems, like it or not, “set a benchmark with which we have to comply,” Nemitz concluded, calling the decision a “historic judgment addressing some of the fundamental issues of not only our time but also the future.”

The view of many American businesses is that Schrems was a political decision, said Boris Segalis, co-chair of data protection, privacy, and cybersecurity for Norton Rose Fulbright US LLP. He described the voided Safe Harbor agreement as “strong and robust.”

American companies took Safe Harbor seriously, not just because it was law but also because they believe people who entrusted their information with them deserve to have it kept private, said Patrice Ettinger, chief privacy officer for pharmaceutical giant Pfizer Inc. Between 200 and 300 people each year participated in ensuring Pfizer remained in compliance with Safe Harbor, she added.

Schrems is unique, said Joris van Hoboken of NYU’s Information Law Institute, because it marks the first time the European Court of Justice has ruled on a national security matter. Van Hoboken offered skepticism about the timetable Nemitz provided for a Safe Harbor 2.0.

“Is the U.S. really going to cooperate with the European Commission?” van Hoboken asked rhetorically of Nemitz. “I’m not convinced the standards you’re describing are going to happen.”

The International Association of Privacy Professionals (IAPP) and Norton Rose Fulbright co-sponsored the event with CLIP.

–Ray Legendre


Comments are closed.