Guidance for U.S. Businesses After the Historic Safe Harbor Decision
On October 6, 2015, in a landmark decision with far-reaching consequences for both U.S. and European businesses, the Court of Justice of the European Union (CJEU) ruled that the EU-U.S. Safe Harbor Agreement is invalid. For companies relying on the Safe Harbor to transfer EU personal data to the United States, the decision means that they will either need to find a data transfer work-around, localize their data within the EU, or risk being technically out of compliance. Although many companies seem to be prepared with a work-around, there has been understandable confusion since the CJEU’s historic ruling about what happens next and whether there is any legal and practical way forward on EU/U.S. data flows. Indeed, the European Parliament’s Civil Rights Committee (LIBE) has called for reflection on how the CJEU’s judgment affects other ways of transferring data, and at least one EU Member State data protection commissioner already has declared that U.S. businesses should do a complete review of their data transfers and consult with him in every instance. One thing is clear: a political solution is needed to settle uncertainties and avoid the potential legal patchwork created by the CJEU’s decision.
The EU-U.S. Safe Harbor Framework
Until recently, the EU-U.S. Safe Harbor Framework provided a method for U.S. companies to transfer personal data outside the EU in a manner consistent with the EU Data Protection Directive (Directive). The Directive is the EU’s comprehensive data privacy law, adopted in 1995. Officially titled the “European Union Directive on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data,” the Directive seeks to “protect the fundamental rights and freedoms of natural persons and, in particular, their right to privacy with respect to the processing of data” and to facilitate the “free flow of personal data” among EU member states by harmonizing privacy laws across the EU. With this broad objective as a springboard, the Directive extensively regulates the processing of personal data in the EU, imposing rules that break down into three categories: (1) complying with certain data quality principles and rules; (2) disclosing to data subjects and addressing their concerns; and (3) reporting to state agencies. One of the most important aspects of the Directive, however, is its restrictions on cross-border data transfers. Transfers of personal data to countries outside the EU are permissible only if the recipient country “ensures an adequate level of protection.” Only a handful of countries have been found to meet this standard. Notably, the U.S. is not one of them.
For this reason, the Directive immediately presented a serious threat to the flow of data between the EU and the U.S. Regulators in the EU and the U.S. recognized the threat, however, and fashioned the Safe Harbor as a solution. Formally adopted on July 26, 2000, the Safe Harbor has been a voluntary self-certification program for transmitting data from the EU to the U.S. under the Directive. Specifically, under the program, U.S. companies have lawfully received personal data from Europe once they publicly agreed to treat the data according to the Safe Harbor Principles, which resemble EU data privacy laws. Self-certification was made to the U.S. Department of Commerce. The advantages of the Safe Harbor for participating U.S. companies have included broad protection from EU regulators, EU courts, and EU law. Safe Harbor compliance instead has been enforced by the U.S. Federal Trade Commission (FTC) pursuant to U.S. statutory authority. The Safe Harbor agreement permits limitations to data protection rules where necessary on grounds of national security, public interest, or law enforcement requirements. As of the date of the CJEU’s ruling, more than 4,000 U.S. companies had membership in the Safe Harbor.
Criticism of the Safe Harbor and Safe Harbor 2.0
Criticism of the Safe Harbor is nothing new. The Safe Harbor has attracted criticism since its approval in 2000, and European regulators ramped up those criticisms in the wake of the Snowden disclosures regarding U.S. national security surveillance activities. As details of U.S. surveillance activities emerged, European officials increasingly called for review and, in some cases, suspension of the agreement. In fact, the European Commission released a six-point action plan in 2013 to restore trust in data flows between the U.S. and the EU. The plan, among other considerations, contemplated accelerated review of a proposed EU data protection reform package as well as the extension of certain U.S. privacy protections to EU citizens. The plan preserved the Safe Harbor framework despite criticism in the EU, and regulators on both sides of the Atlantic have since been negotiating “Safe Harbor 2.0” to address EU concerns about the data sharing pact. Although those negotiations reportedly were nearing completion, Safe Harbor 2.0’s status now is unclear in light of the CJEU’s ruling.
The Challenge: Schrems v. Data Protection Commissioner
In Schrems v. Data Protection Commissioner, Austrian law student Max Schrems filed an outright legal challenge to data transfers to the U.S. Schrems filed a complaint with the Irish Data Protection Commission (DPC) claiming that “the law and practices of the United States offer no real protection of the data kept in the United States against State surveillance.” Schrems’ complaint related to his use of Facebook and Facebook’s transfer of EU personal data to the U.S.
The Irish DPC initially declined to investigate, concluding that the Safe Harbor principles were dispositive. The case was appealed to the High Court of Ireland, which asked the CJEU to decide two questions:
- Whether a data protection commissioner is bound by a [European Commission] finding that the Safe Harbor agreement provides adequate protection in the face of a complaint alleging it does not; or, alternatively;
- May and/or must the commissioner conduct an independent investigation of the matter in light of the factual developments since the Safe Harbor agreement was first published.
Schrems was heard by the CJEU in May of this year, and the non-binding opinion of Advocate General Bot was issued on September 23, 2015. The Advocate General’s opinion recommended that the CJEU find the Safe Harbor invalid in light of perceived indiscriminate U.S. government surveillance activities.
The CJEU’s Ruling
The CJEU issued its judgment on October 6, 2015, a mere 12 days after the Advocate General’s opinion was released. The judgment comprised two findings. First, the CJEU found that the Safe Harbor did not eliminate or reduce the powers granted to national data protection authorities (DPA) under the Directive. Accordingly, DPAs have the power to investigate and suspend transfers of personal data to a country outside the EU, even where the European Commission has adopted a finding that the recipient country affords an adequate level of data protection. Second, the CJEU held in unequivocal terms that the Safe Harbor Decision is invalid. The CJEU stated that the access to EU data afforded to the U.S. intelligence community impermissibly interferes with the right to respect for private life and the right to protection of personal data, which are guaranteed under the Charter of Fundamental Rights of the European Union. The CJEU further emphasized that the U.S. does not provide EU citizens with the ability to obtain judicial redress in the U.S. Notably, the CJEU did not find that Facebook itself had violated the Safe Harbor or that it improperly handled EU personal data—the decision instead was grounded in U.S. government activities.
Guidance for U.S. Companies
The Safe Harbor is invalid, which means it no longer can provide a basis for transferring personal data from the EU to the U.S. U.S. companies should complete an audit of their data transfers to identify transfers that were undertaken in reliance of the Safe Harbor. To the extent they have not done so, companies should explore other mechanisms to support ongoing transfers.
Alternative data transfer mechanisms may include the following:
Derogations from Adequacy Requirements. The Directive currently provides a number of derogations from the adequacy requirements for cross-border data transfers. Pursuant to these derogations, a company may transfer EU personal data to the U.S. in the following circumstances: the data subject has given unambiguous consent to the proposed transfer; the transfer is necessary for the performance of a contract between the data subject and the data controller (defined as the party responsible for determining how to collect, store, and otherwise use personal data); the transfer is necessary for the performance of a contract concluded in the interest of the data subject; the transfer is legally required; or the transfer is necessary in order to protect the vital interests of the data subject. However, companies should be careful about relying on these provisions to justify data transfers, as they are subject to narrow interpretations by EU DPAs.
Model Contract Clauses. Model contract clauses likely are the best short-term solution for companies seeking to continue their data transfers. These contractual provisions have been approved by the European Commission. In many ways, however, they are stricter than the requirements of the Safe Harbor. In addition, in some cases, they require pre-approval from national data protection authorities and expose U.S. companies to EU regulators and EU legal actions.
Binding Corporate Rules (BCRs). BCRs allow companies to develop and adopt internal privacy policies that mandate EU-style data protections across the entire organization. Adopting BCRs is a time-consuming and expensive undertaking, generally requiring consultation and consensus with multiple EU DPAs. Thus, BCRs do not present an immediate solution for U.S. participants in the Safe Harbor. They may, however, present a longer-term solution for companies that are seeking a global solution for exports of EU personal data or a custom solution for trans-Atlantic data flows.
Data Anonymization. If the data transferred to the U.S. need not be in an identifiable format, companies could consider anonymizing the data. Companies should note, however, that EU rules set a high bar for anonymization.
Caution is warranted, however, as the CJEU’s reasoning in Schrems could allow EU DPAs to challenge the viability of these alternative methods as well. In fact, a proclamation issued by LIBE calls for reflection “immediately” on how the judgment affects other ways of transferring data, including model contractual clauses and BCRs. In addition, a German data protection commissioner has recommended that companies using model contractual clauses cancel them and consult with him on each data transfer. Other DPAs may soon follow suit.
The CJEU’s ruling has created legal and practical uncertainties between the two largest trading partners in the world that need to be resolved as soon as possible. Indeed, the decision paves the way for national DPAs to challenge any adequacy finding and any transfer, regardless of the data transfer mechanism. The result could be a regulatory nightmare for companies that, going forward, may be required to ensure compliance with fragmented data protection rules across 28 EU jurisdictions. The decision also raises questions as to the status of data previously transferred under the Safe Harbor.
The European Commission has promised guidance on how to deal with data transfers to the U.S., and there already has been a meeting between the Commission and national DPAs. While there has been no official statement from that meeting yet, a second meeting was held on October 15. Businesses should consider reaching out to U.S. and European policymakers to push for the development of reliable legal mechanisms for maintaining data flows and harmonization of privacy rules across the EU.