Restive regulators in Europe are gearing up to enforce tough privacy laws and further court challenges await, activists say.
The breakdown of the main framework for providing legal cover for cross-border data transfers has companies large and small racing to find workable alternatives. These range from stricter data-handling policies to new technologies or paying to lease data centres based in Europe.
Companies, facing renewed threats by privacy regulators, find themselves on legal thin ice with many of the existing procedures for managing cross-border data flows, experts say.
Hailed as a "Privacy Shield" by European Union and US negotiators who reached the new cross-border data sharing agreement, the deal faces a labyrinthine approval process before the new rules have any chance of coming into force.
"Once it becomes available, businesses will want to be cautious about signing up to Privacy Shield given the potential legal challenges that special interest groups have already suggested they will be considering," cautioned Marc Dautlich, a partner with Pinsent Masons in London.
Tough on privacy
Cross-border data transfers are used in many industries for sharing employee information, when consumer data is shared to complete credit card, travel or e-commerce transactions, or to target advertising based on customer preferences.
Since 2000, up to 4,500 US companies had come to count on a simple set of rules, dubbed Safe Harbour, allowing them to self-certify they complied with privacy principles for personal data transfers from Europe to the United States. Many other firms, especially fast-growing start-ups, did nothing to comply.
In October, the European Court of Justice threw out Safe Harbour. In a landmark decision, it ruled the mechanism provided inadequate protections under European privacy laws against the sorts of spying by US intelligence agencies revealed by former NSA contractor Edward Snowden in 2013.
Independent-minded national privacy regulators say they need to know more details about the so-called "Privacy Shield" but many openly doubt the agreement can bridge the gulf between the two continents' privacy practices.
"Transfers to the US cannot take place on the basis of the invalidated Safe Harbour decision. EU data protection authorities will therefore deal with related cases and complaints on a case-by-case basis," Europe's national privacy regulators said in a joint statement on Wednesday.
The data commission for Schleswig-Holstein, Germany's most northern state, said it was prepared to take action on national data protection rules if citizens file complaints.
The regulator warned in October that firms found in violation of German data protection rules could face fines up to EUR 300,000 ($335,000 or roughly Rs. 2.27 crores). Across the region, multi-million euro fines could be imposed on offenders and commercial transfers of personal data prohibited, privacy experts say.
Searching for options
An alternative form of legal compliance offered by the EU are "standard contact clauses", or "model contracts", which require companies to spell out exactly what data is being transferred to what US companies and the measures to be taken to ensure compliance with European privacy law.
Some national data authorities offer what is known as "binding corporate rules" (BCRs), which companies mostly use for cross-border employee data transfers inside their organisations. But BCRs can take up to 12-18 months to be formalised, while model contracts can take days or weeks.
However, many regulators and privacy experts say that the same high court ruling that struck down Safe Harbour may also render model contracts and BCRs invalid, making them only a temporary safe haven for meeting European rules.
Using technology to keep data within Europe's borders is a longer term, if pricier solution. Leasing datacenters based in Europe rather than relying on centralised US servers has started to take off over the past year or two.
That's an approach huge cloud-based software companies Microsoft and Amazon.com and specialist datacenter providers have begun offering to customers to meet a patchwork of data residency requirements in Europe.
US file-sharing company Syncplicity has introduced software that keeps sensitive corporate data created in Europe within the region, offering new ways to store data in the cloud locally.
© Thomson Reuters 2016