Good Morning. Safe Harbor is Dead. What does it mean, now and later?

With these words, the European Court of Justice (ECJ) has just ruled the “Safe Harbor” agreement  between the US and EU invalid:

As a result, individual European countries can now apply their own regulations for companies’ handling of their citizens’ personal data when that data will flow to the US, creating enormous uncertainty for all contexts in which those transfers take place, which in the age of the Internet is almost all the time. EU countries can, if they wish, choose to suspend the transfer of data to the US, forcing companies to host personal data exclusively within Europe.

For most companies, this will mean a quick turn to “model clauses” executed between European “data controller” companies or affiliates and US “processor” companies, even though the logic of the decision — grounded in misunderstandings about US governmental surveillance of personal information — would if extended undermine both model clauses and binding corporate rules (BCRs).   Consent of the individual — so fragile, revocable and temporary — is the only major basis for data transfers to the US that remains logically unscathed by this decision, because unlike model clauses and BCRs, it does not rely on fictitious protection of the individual from (mostly fictitious) surveillance.

There is, of course, a great deal more to say, and you have many other news sources, so I will end for the moment with this provocative question:   Does this decision presage stronger global data protection, or the death of the nation state, or — for the world to work and data to keep flowing — a new regime of contract, i.e. not the model clauses, but contracts with the person at the center?

 

EUCJ