If you have any interest in cross-border discovery or any form of data transfer to the US, you will be aware that the EU Court of Justice has delivered a judgment in Schrems v Data Protection Commissioner the effect of which is to invalidate the EU Safe Harbour regime. The court press release about the judgment can be found here and the full judgment is here.
The judgment was not unexpected, and a blizzard of commentary fell upon us almost immediately. By about next Monday, people who wouldn’t know a safe harbour from a Tawny port will have given us the benefit of their views.
I do not intend to join in and add immediately to the mountain of written commentary. This is partly because I see no point when everyone else has done so, and partly because I prefer to think first and write afterwards, but mainly because I will be expected to talk about Schrems at two events next week and would rather focus on preparing for them.
Patrick Burke and I first joined forces on this subject in 2009, when we were mocked for suggesting that EU data holders would not fall over backwards to comply with a US eDiscovery request because of its conflict with EU data protection and privacy laws. One of my slides from that period showed a picture of a little harbour to support my suggestion that safe harbour was neither safe nor a harbour and that no amount of self-certification under the Safe Harbour scheme would, by itself, protect those who sent data to the US for litigation discovery purposes. How they laughed – whoever would ignore the order of an American court?
They are not laughing now, and it will be interesting to see what reaction we get when we talk about Schrems while it is hot news.
The following day I am speaking in Nashville at an event organised by Cicayda about the commercial and legal implications of recent developments in cross-border discovery. Again, this agenda has been fixed for some time, and the arrival of the Schrems judgment is timely (though less so from the perspective of one required to prepare a talk while the ink is still drying on it).
Let me steer you to two sources whose quality can be guaranteed despite the speed with which they are have got out their opinions.
I point you first to an article called Safe Harbor by Gregory Bufithis, founder/CEO of the Project Counsel Group, which points in turn to a webinar to be given by Hogan Lovells today, 7 October, at 12:00 pm (EDT) / 17:00 (BST) / 18:00 (CEST) .
Hogan Lovells’ own article, also pointing to their webinar, is called Safe Harbor Invalidated – What Next?.
You might also like to look at an article by Cordery called European Court rules Safe Harbor invalid in Schrems case. Cordery has been publishing useful material, including videos, for some time in anticipation of this outcome and is to be trusted as a source of information about it.
If, meanwhile, you have in hand a transaction involving transfers of data to the US, there is only one piece of advice to give: make sure that your lawyers understand and have experience of the issues, both those which have always arisen in this context and the new ones consequent on Schrems.
NB: The Civil Procedure Rules of England and Wales use “judgment” not “judgement”. Schrems is not an English ruling but old habits die hard. I have used the American spelling “harbor” when quoting from someone else who does and the proper spelling otherwise. The CJEU judgment uses “Harbour”; I don’t give a monkey’s really.