Solving the Unsolvable on Safe Harbor -- The Role of Independent DPAs

[Commentary] Since the European Court of Justice (ECJ) announced its Schrems decision on October 6, there has been understandable consternation about what comes next -- is there any legal and practical way forward on EU/US data flows? Fortunately, we have faced a similar situation once before, and solved it. That earlier experience, in the late 1990s, suggests a promising path this time as well. Notably, this path reaffirms the lawfulness of Binding Corporate Rules (BCRs) and model contract clauses, thus providing ongoing, lawful means of transferring personal data to the US.

The ECJ, in Schrems, has affirmed a bedrock principle, that an independent authority must be in place to protect EU citizens’ fundamental right to privacy. At a formal level, independent authorities have this authority when they approve and oversee BCRs and contract clauses, so BCRs and clauses are fundamentally consistent with the right of redress and the Court’s opinion. There are numerous challenging issues ahead as the EU implements Schrems and moves forward with the General Data Protection Regulation. As in the 1990s, however, there is a legal path forward for transfers of data, especially when the analysis includes a fair understanding of what the EU expects of its own organizations.

[Peter Swire is the Huang Professor of Law and Ethics at the Georgia Tech Scheller College of Business, and Senior Counsel with Alston & Bird LLP]