This week, the Court of Justice of the European Union (CJEU), the highest legal authority in the European Union, struck-down a 15-year agreement between the United States and the EU establishing the “Safe Harbor” program pursuant to which many companies legally transfer personal data from the EU to the U.S. in compliance with the EU Member States’ national privacy regulations. In particular, the CJEU held that the European Commission’s determination under Decision 2000/520/EC (the “Safe Harbor Decision”) that the Safe Harbor program provides adequate data protection in respect of transfers to the U.S. does not trump the ability of national data protection authorities to determine whether or not the transfer of a person’s data to a third country complies with the requirements laid down by the EU Data Protection Directive 95/46 (the Directive). As a result, companies may find that their continued transfer of personal data from the EU to the U.S. violates the national laws of Member States of the EU implementing the Directive.
As of October 6, 2015, the U.S. Chamber of Commerce has noted that, “Businesses on both sides of the Atlantic are seriously concerned about the implications of [the] ruling […] More than 4,400 European and American companies of every size have relied on this agreement to be able to move data seamlessly across the transatlantic economy while providing a high standard of protection for consumers. It is particularly alarming that this longstanding agreement has been invalidated with no discussion of a transition period or guidance regarding how companies should comply with the law while a new agreement is negotiated or as they transition to new mechanisms.”1
In 1998, the EU adopted the Directive to prohibit the transfer of EU citizens’ personal data outside the EU except to countries that the European Commission (EC) has determined maintain an adequate level of data protection. The EC, however, previously determined that the U.S. does not maintain an adequate level of data protection. In order to maintain and grow trade between the U.S. and the EU, in 2000, the U.S. Department of Commerce and the EC negotiated the Safe Harbor program2 pursuant to which most U.S. entities may self-certify their compliance with principles of the Directive, including strict requirements about notice, choice, onward transfer, security, data integrity, and rights to access. Each EU Member State has implemented the Directive with its own legislation and each EU Member State’s legislation is enforced by its national data protection authority--one advantage of the Safe Harbor program was that participating U.S. entities received protection across the EU without having to negotiate with each Member State.
Until the “Schrems”3 decision on October 6, 2015, it was assumed that the Safe Harbor Decision stopped national data protection authorities in the EU from challenging or suspending the transfer of data to the U.S. where the recipient of the data had enrolled in the Safe Harbor program. However, the CJEU has now ruled that the Safe Harbor Decision is invalid, in part, on the grounds that it denies national supervisory authorities in the EU the power to enforce individuals’ rights to the protection of personal data as guaranteed by the Charter of Fundamental Rights of the EU. It held that the EC does not have competence to restrict the national supervisory authorities’ powers to examine whether the transfer of a person’s data to a third country complies with the requirements laid down by the Directive.
In its ruling, the CJEU noted that U.S. Federal authorities were able to access personal data transferred from EU Member States to the U.S. and process it in a way said to be incompatible with the purposes for which it was transferred, beyond what was strictly necessary and proportionate to the protection of national security. In addition, the CJEU noted that persons concerned had no administrative or judicial means of redress enabling, in particular, the data relating to them to be accessed and, where relevant, rectified or erased. This and other practices by U.S. authorities were held to compromise the essence of the fundamental rights to respect for private life and effective judicial protection as guaranteed in the EU.
The Schrems decision is not completely unexpected. Since disclosure of the U.S. National Security Agency’s ability to access personal data maintained or processed in the U.S., and in particular, the disclosures by Edward Snowden, pressure has grown in the EU to limit transfers of data to the U.S. and/or to impose more restrictions on use and disclosure of transferred data. As a result, the U.S. Department of Commerce and the EC have been negotiating for more than two years towards a revised Safe Harbor Program. The Schrems decision is expected to complicate the negotiations.
In addition, the EU has continued efforts to update and strengthen the Directive, including possible fines for non-compliance of up to 2% of global revenue.
What is the effect of the judgment?
The Irish data protection supervisory authority must now decide whether the transfer to the U.S. of personal data of European subscribers to Facebook should be suspended on the ground that the U.S. does not afford an adequate level of protection to personal data. With the Safe Harbor Decision annulled, companies transferring personal data from the EU to the U.S. may have to cope with the demands of 27 different national data protection authorities. There are reports that other national data protection authorities have already commenced their own investigations.
The way forward
The Safe Harbor program has not been the only legal means to transfer personal data from the EU to the U.S.;other methods, which continue to be valid, include:
- Obtaining the informed consent of the data subject to the transfer of the data. Broadly, this has meant telling the data subject what is intended to be collected, processed and exported, having adequate security measures in place, keeping data for no longer than necessary and allowing the person to correct and rectify their data. For some entities, the Schrems decision may mean rethinking how informed consent is flagged and obtained;
- Executing Transfer Agreements incorporating the EC’s approved standard model clauses for the transfer and processing of data;
- Within corporate groups, registering with the appropriate European data protection authorities and executing authority-approved ‘Binding Corporate Rules’, allowing the transfer of personal data freely within the group; and
- Pseudonymization and anonymization.
The Safe Harbor program had grown popular, in part, because: (a) obtaining ‘informed consent’, pseudonymization or anonymization, under Member State implementing legislation under the Directive can be difficult and expensive to achieve and (b) the standard model clauses are inflexible and include restrictive provisions regarding liability, jurisdiction and audit rights.
In addition, the Directive contains limited exemptions to the restriction on transfers of data from the EU. These exemptions are limited in scope and only apply where the transfer is necessary for a permitted purpose. Nevertheless, the exemptions continue to be legally available and may in some circumstances provide a simple solution.
Because many entities relying on the Safe Harbor program have also used other valid transfer methods and many companies have relied entirely on other valid transfer means, not every entity transferring data from the EU to the U.S. is affected by this decision.
While Safe Harbor is no longer ‘safe’ there continue to be valid routes allowing the transfer of data to the U.S. which should now be reviewed and adopted, as appropriate and expeditiously, by companies that have previously relied solely on Safe Harbor or that had not otherwise been in compliance with the Directive.
Where a party data controller transfers personal data to a third party data processor in reliance on the Safe Harbor program, the parties must now revisit the agreements under which the data is processed to ensure that there is a lawful basis for the transfer of data and, if not, to reevaluate their processes. With respect to both IT services (including cloud services) and business process outsourcing, service providers and their customers that relied on their own Safe Harbor compliance or the Safe Harbor compliance of their service provider to transfer data to the U.S. should revaluate whether they can continue lawfully to fulfil their obligations under their contracts or whether they are required to enter into specific data transfer agreements.