Safe harbour has never been safe because the compliance requirements were never taken seriously by companies and vendors that processed the protected data.
The real effect of the Schrems decision invalidating safe harbour is to finally bring awareness to the U.S. judiciary that our EU neighbors take data protection seriously and that they are extremely unhappy with how lawyers in the U.S. treat protected data from the EU.
This new judicial awareness coupled with Amended Rule 26(b)(1) limitation that discovery must be “proportional to the needs of the case” provides hope that meaningful cooperation and progress between the U.S. and EU is now possible on this issue.
Recommended best practices in this time of uncertainty over the transfer of protected data between the EU and US include:
- Have a detailed game plan;
- Retain local counsel;
- Keep local data authorities informed of your plans;
- Understand exactly what protected data is the target of the collection;
- Narrow the scope of collection and processing as much as possible;
- Be transparent with both opposing counsel and the court re the challenges;
- Get informed consent from the target custodian(s) before the collection;
- Law firms and vendors should communicate in detail about how the protected data should be processed and get it in writing;
- Conduct the reviews in country;
- Document the process from start to finish