David Keating, partner and co-leader of the firm’s Privacy & Data Security practice, was quoted on Law360 regarding the practical impact on companies of the decision of the European Court of Justice (ECJ) invalidating the EU-U.S. Safe Harbor program for transfers of personal data.
The ECJ decision requires companies to evaluate the mechanisms they and their vendors use to move data out of the European Union and the European Economic Area. One option that is being discussed by the commentators is to secure individual data subject consents. David points out that this approach may not be ideal, however. “Consent in general is more difficult and generally disfavored . . . ,” he stated. “[This is] because . . . when you have repeated systemic transfers [of data, European regulators are concerned that] the company is not [necessarily required to] provid[e] privacy protections for data after the transfer like they are with model clauses or other mechanisms.”