What should US-based firms do while they wait for GDPR?
Keep their noses clean. "Safe Harbour was only one of the options available to exporters and importers of personal data to the US," says Evershed. "Consent is one way of transferring personal data outside the European Economic Area, but the other, possible more practical way is to use EU Model Clause agreements – they're a standard form agreement that can't be negotiated."
However, adjustments will be needed – not least because of 'dark data'; 52% of the information organisations are storing and hoarding is unknown even to them, according to Veritas. All the lawyers techradar pro talked to agreed that the Model Clause agreement was the way to go.
"Until the Commission takes its final decision on the Privacy Shield, binding corporate rules and model clauses are still valid means of transferring data to the US," says Nicola Fulford, Head of Data Protection & Privacy at Kemp Little. "It also confirmed that transferring personal data to the US under the invalidated Safe Harbour decision is illegal."
"Many businesses have implemented alternative methods of data protection compliance, including the use of model contracts," says Ashley Winton, Partner and UK head of data protection and privacy at international law firm Paul Hastings LLP, and Chairman of the UK Data Protection Forum. He doubts there is much appeal in adopting the Privacy Shield, since it will increase their potential liability.
Others think a more physical approach to cloud computing is sensible. "In terms of their legal and regulatory obligations, these companies should host EU citizens' data exclusively within the EU borders and suspend transfer of data to the US," says James Henry, UK Southern Region Manager, Auriga Consulting. Cue the hybrid cloud.
While the GDPR itself is unlikely to be a uniform, cross-EU law, the Privacy Shield certainly is not. "Many companies today are assessing their requirements on a country-by-country basis, with EU member states expected to layer their own rules on data protection on top," says Jones. This could mean different data regulations in each EU member state.
In any case, data protection and privacy laws are incredibly fluid, so no-one should get complacent. "Companies will need to be prepared to revisit this issue on a regular basis."
Europe may one day have blanket law on data protection, but even with the GDPR, it's likely to be implemented differently in each region. For now, Germany, France and Switzerland have the most stringent rules on data sovereignty.
"If a US-based company needs to transfer data from Germany to the US," says Toby Duthie, Partner at Forensic Risk Alliance, "it will have to take into account state and federal data protection laws, engage with workers and potentially their counsel, review the data in Germany, and ask a US court or government entity to request the documents from Germany though official processes – such as a mutual legal assistance treaty (MLAT)."
It's complex stuff, and what's more, the situation elsewhere in the EU is completely different. "In France, US companies will have to consider 'blocking statutes', and in Switzerland the Swiss Blocking Statute and Bank Secrecy laws, before transferring data out of the country," adds Duthie. The UK's Data Protection Act and Italy's Data Protection Code also make data transfers difficult.
Crimes and punishments
"The German Data Protection Authority has already taken legal action against three companies still relying on Safe Harbour, and we expect more to follow," says Nicky Stewart, Commercial Director at Skyscape Cloud Services, who points out that Google, Facebook and Fitbit are all still relying on Safe Harbour regulations.
It's thought that the EU Council are making plans to allow fines to be imposed of up to €1 million (around £800,000, or $1.15 million), or 2% of global annual turnover, and for the EU Parliament to levy fines up to €100 million (around £80 million, or $115 million), or 5% of global turnover. "Once the new EU legislation is in place, the EU Council and EU Parliament will be able to enforce potentially crippling fines," says Duthie.
That will make compliance with EU data protection law much more compelling for companies such as Google and Facebook, thinks Stewart, who expects that the European Commission's plans to regulate 'platform providers' will be "comprehensive and wide-ranging".
Not that size matters. "The size of the organisation doesn't help it escape compliance," says Leichter, "although smaller companies are less of a regulatory target and risk smaller, but still substantial fines."
Small companies that trade internationally from the UK can get excellent guidance and advice from the 'pragmatic' Information Commissioner's website.
What happens next?
It's now up to politicians in EU member states to discuss the GDPR, and legislate. However, the ultimate arbiters of what happens next – and how the GDPR shapes up – won't be companies, the US Department of Commerce, or the European Commission, but national regulators and the judges of the European Court of Justice.
Since the EU has the most progressive laws on data protection globally, it is they who are the gatekeepers not only of EU citizens, but, in a globalised market, the entire globe's personal data. "Internet communication has made the whole discussion on data privacy a global interest," says Lillian Pang, Senior Director, Legal, Rackspace. "But many countries will continue to observe what the EU does."