EU-US Safe Harbor Invalid...What Happens Now?
The Court of Justice of the European Union (CJEU), the European Union’s (EU) highest court, ruled yesterday that the EU-US Safe Harbor Agreement, which has permitted eligible United States (U.S.) companies to receive personal data from the EU, is invalid. While the decision is final and effective immediately, its practical effect likely will depend on the actions of data protection authorities (DPAs) in individual EU Member States. The result could be a regulatory nightmare for companies that, going forward, may be required to ensure compliance with fragmented data protection rules across 28 EU jurisdictions.
In the short term, to the extent they have not already done so, companies currently relying on the Safe Harbor should consider alternative data transfer mechanisms to lawfully transfer EU personal data to the U.S. Immediate alternatives for U.S. companies include model contractual clauses or obtaining individual consents to the cross-border transfer of EU personal data. U.S. companies that fail to explore alternative mechanisms to transfer data may be forced to store their EU personal data locally within EU Member States. The European Commission (EC) has promised guidance on how to deal with data transfers to the U.S. and the potential patchwork of inconsistent DPA decisions.
What is the Safe Harbor?
The Safe Harbor has been a voluntary self-certification system for transmitting data from the EU to the U.S. Under the program, eligible U.S. companies have lawfully received personal data from Europe once they publicly agreed to treat the data according to the Safe Harbor Principles, which resemble EU data privacy laws. Self-certification was made to the U.S. Department of Commerce. The advantages of the Safe Harbor for participating U.S. companies have included broad protection from EU regulators, EU courts and EU law. Safe Harbor compliance instead has been enforced by the U.S. Federal Trade Commission (FTC) pursuant to U.S. statutory authority. The Safe Habor agreement permits limitations to data protection rules where necessary on grounds of national security, public interest, or law enforcement requirements. More than 4,000 U.S. companies have membership in the Safe Harbor.
What Did the CJEU Do?
The CJEU issued its decision in Schrems v. Data Protection Commissioner. In that case, following the 2013 Snowden revelations regarding U.S. surveillance activities, Austrian law student Max Schrems filed a complaint with the Irish Data Protection Commission (DPC) claiming that “the law and practices of the United States offer no real protection of the data kept in the United States against State surveillance.” Schrems’ complaint related to his use of Facebook and the transfer of EU data to the U.S. by Facebook.
The Irish DPC initially declined to investigate, concluding that the Safe Harbor principles were dispositive. The case was appealed to the High Court of Ireland, which asked the CJEU to decide two questions:
- Whether a data protection commissioner is bound by a [EC] finding that the Safe Harbor agreement provides adequate protection in the face of a complaint alleging it does not; or, alternatively,
- May and/or must the commissioner conduct an independent investigation of the matter in light of the factual developments since the Safe Harbor agreement was first published.
Shrems was heard by the CJEU in May of this year, and the opinion of Advocate General Bot was issued on September 23, 2015, recommending that the CJEU should find the Safe Harbor invalid. The CJEU issued its decision a mere 10 days later, finding in unequivocal terms that “Decision 2000/520 is invalid.”
Specifically, the CJEU found that the Safe Harbor did not eliminate nor reduce the powers granted to DPAs under the EU Data Protection Directive. Accordingly, DPAs have the power to investigate transfers of personal data to a country outside the EU. The CJEU then went on to consider the validity of the Safe Harbor itself. Finding that the access to EU data afforded to the U.S. intelligence community impermissibly interferes with the right to respect for private life and the right to protection of personal data, which are guaranteed by the EU Charter, the Court declared the Safe Harbor invalid.
What Does the Decision Mean for U.S. Businesses?
The Safe Harbor is invalid, which means it no longer can provide a basis for transferring personal data from the EU to the U.S. Accordingly, U.S. businesses should explore other data transfer mechanisms and opportunities. Currently, the EU Data Protection Directive permits the transfer of personal data from the EU to the U.S. only in the following circumstances: the individual has given his or her unambiguous consent to the transfer; the transfer is necessary for the performance of a contract; the transfer is legally required; or the transfer is necessary in order to protect the vital interests of the data subject. However, companies should be careful about relying on these provisions to justify data transfers, as they are subject to narrow interpretations by EU DPAs.
To the extent they have not already done so, U.S. companies should explore other legal mechanisms for EU data transfer mechanisms permitted under the Directive. Caution is warranted, however, as the CJEU’s reasoning in Shrems would allow EU DPAs to challenge the viability of these alternative methods as well.
These include the following:
- Model Contract Clauses. These contractual provisions have been approved by the EC and likely are the best short-term solution for companies seeking to continue their data transfers. In many ways, however, they are more strict than the requirements of the Safe Harbor. In addition, they expose U.S. companies to EU regulators and EU legal actions.
- Binding Corporate Rules (BCRs). Adopting BCRs is a time-consuming and expensive undertaking, generally requiring consultation and consensus with multiple EU DPAs. Thus, BCRs do not present an immediate solution for U.S. participants in the Safe Harbor. They may present a longer-term solution for companies that are seeking a global solution for exports of EU personal data, or custom solution for trans-Atlantic data flows.
- Anonymization. If the data transferred to the U.S. need not be in an identifiable format, companies could consider anonymizing the data. Companies should note, however, that EU rules set a high bar for anonymization.
The CJEU’s opinion has upended the legal framework for trans-Atlantic dataflows, and a political solution is needed. U.S. companies should look in coming days for EC guidance, but will likely be insufficient to settle the uncertainties and possible legal patchwork created by the CJEU’s opinion. Business should consider also reaching out to U.S. and European policymakers to push for the development of reliable legal mechanisms for maintaining data flows.