Safe harbour has never been safe because the strict compliance requirements were never taken seriously by companies and vendors that processed the protected data.
The real effect of the Schrems decision invalidating safe harbour is to finally bring awareness to the U.S. judiciary and attorneys that our EU neighbors take data protection seriously and that they are extremely unhappy with how we in the U.S. treat protected data from the EU.
This new unprecedented judicial and congressional awareness coupled with Amended Rule 26(b)(1) limitation that discovery must be “proportional to the needs of the case” provides hope that meaningful cooperation and progress between the U.S. and EU is now possible on this issue.
Recommended best practices in this time of uncertainty over the transfer of protected data between the EU and US include:
- Have a detailed game plan;
- Retain local counsel;
- Keep local data authorities informed of your plans;
- Know exactly what protected data will be the target of the collection;
- Narrow the scope of collection and processing as much as possible;
- Be transparent with both opposing counsel and the court re the challenges;
- Get informed consent from the target custodian(s) before the collection;
- Law firms and vendors should communicate in detail about how the protected data will be processed and get it in writing;
- Conduct the reviews in country;
- Document the entire process from start to finish