Many U.S. companies that handle data on Europeans for marketing purposes were prepared for E.U. high court to end the prevailing Safe Harbor on Tuesday and had already begun making accommodations. But remedies will potentially costly and difficult, especially for small marketers.
"I think everybody was hoping they wouldn't, but we were kind of expecting them to rule it this way," said Acxiom Chief Privacy Officer Jennifer Glasgow. But, she said, "This is not going to disrupt a lot of data flow today or tomorrow or next week."
The Safe Harbor compact has helped streamline the data flow for more than 4,000 companies including data brokers, ad technology firms and ecommerce companies among others for 15 years. But alarmed by Edward Snowden's revelations, the E.U. court decided the agreement is not strong enough to protect Europeans' privacy, including against U.S. spies.
Most large firms handling massive amounts of data such as Google, Facebook and Amazon should already have other legal contracts in place, including previous agreements guiding heavily-regulated health and financial data, that should allow them to continue data transfer as usual. Smaller marketers and data vendors won't be so lucky, which could have ripple effects throughought the marketing ecosystem.
"The big companies have probably been gearing up for this for some time, but for smaller companies, this is, I think, a much greater challenge because they don't have the legal sources in house," said Omer Tene, VP-research and education at the International Association of Privacy Professionals.
Legal alternatives to the now-moot Safe Harbor agreement including special contract clauses that apply to specific data uses "are more onerous, cumbersome and especially costly, so this is going to have an effect," he said.
Marketers that had relied on Safe Harbor protection should consider the model contract clauses that the E.U. has approved, which may cover data transfer activity that Safe Harbor no longer does, said Jim Halpert, co-chair of DLA Piper's global data protection, privacy and security practice. Some of those, he warned, involve some "fairly nasty" liability commitments. "Get familiar with these, think about whether you can comply with these currently," he said. (The law firm will host a webinar on the topic Thursday.)
Google, another firm greatly affected by the rule change, declined to comment for this story, but pointed to a statement from the Internet Association, of which it is a member.
"Internet companies have mechanisms in place to effectuate data transfers beyond the Safe Harbor, but smaller companies and consumers both in the EU as well as in the U.S. could experience significant challenges going forward." the statement said. "In light of this far reaching European Court of Justice ruling, the Internet Association calls on the U.S. and EU to join forces to implement a revised Safe Harbor framework and to issue interim guidance to stakeholders pending this implementation."
Ms. Glasgow suggested that lumping together data privacy protections for individuals with the threat of government surveillance is problematic. "The bigger concern is the basis for the European decision didn't really have much to do with individuals," she said.
"Government surveillance really needs to be decoupled from data protection," she said.
Mr. Tene disagreed, suggesting that much of the NSA's surveillance program has been reliant upon data originally gathered and stored for commercial purposes. "The collection of data by government is all about collection of consumer information," he said. "The government was definitely reaching into their databases and their information was of extreme importance."