The European Court of Justice struck down the safe harbor agreement that allowed data transfers between U.S. and EU companies, ruling that because the scheme gives priority to U.S. law enforcement and intelligence officials, it does not adequately protect EU citizens’ privacy rights.
The thousands of companies that rely on the safe harbor now must find an alternative way to transfer data and avoid EU regulators’ scrutiny over how they are protecting private data.
One method would be to rely on obtaining informed and explicit consent from consumers. “
But David Keating, co-chair of Alston & Bird’s Privacy & Data Security Group, noted that “consent in general is more difficult and generally disfavored.”
“Data protection authorities in Europe have all been clear that consent is not in their view a good substitute for when you have repeated systemic transfers,” Keating said, “because the company is not providing privacy protections for data after the transfer like they are with model clauses or other mechanisms.”