EU High Court Invalidates U.S.-EU Safe Harbor Framework

As has been widely reported, the U.S.-EU Safe Harbor – probably the most commonly used method for transferring personal data to the United States – has been invalidated by an EU court.  The court’s decision has wide-ranging implications for data protection compliance for U.S. businesses and other organizations with activities in Europe.  While the decision makes it clear that Safe Harbor is no longer a valid mechanism for data transfers, the decision leaves unanswered many questions about the data transfer rules going forward.  Some of these questions will not be resolved immediately, as answers will depend on (1) how data protection regulators react to the court’s decision; (2) what is included regarding transfers in the final version of the proposed General Data Protection Regulation; and (3) whether the United States can deliver on commitments to assuage European concerns over surveillance.

Background: CJEU’s Schrems Decision

On October 6, the Court of Justice of the European Union (CJEU) issued its highly-anticipated ruling in Schrems v. Data Protection Commissioner in which the Court immediately invalidated the 16-year old U.S.-EU Safe Harbor Framework, less than two weeks after the CJEU’s Advocate General recommended that the Court take a similar course of action. In his opinion to the CJEU, Advocate General Yves Bot claimed that the Safe Harbor Framework failed to adequately protect Europeans’ personal data against the large-scale collection by U.S. law enforcement and national security agencies.

The CJEU invalidated the Safe Harbor program on similar grounds, finding that the program did not ensure an adequate level of protection for the fundamental rights of European citizens concerning privacy and personal data, as required under the EU’s Charter of Fundamental Rights and its Data Protection Directive (“Directive”).

Specifically, the Court noted that Article 25 of the Directive prohibits the transfer of personal data to countries outside of the EU that do not ensure an “adequate level of protection” for personal data in accordance with EU law. Because the U.S. lacks comprehensive privacy legislation, the Safe Harbor was created by the U.S. government and the European Commission (EC) in accordance with Article 25 to allow companies to self-certify their adherence to privacy safeguards based on EU principles.

But the CJEU held that the Safe Harbor program did not provide “adequate protection” in light of surveillance practices by U.S. law enforcement and national security agencies. Pointing to a report by the EC stating that personal data transferred to the U.S. was accessible and processed in a way “beyond what was strictly necessary and proportionate to the protection of national security,” the Court declared that “protection of the fundamental right to respect for private life at EU level requires [personal data protection] derogations and limitations . . . to apply only insofar as strictly necessary.” The Court also noted that the lack of judicial redress to such violations also violated the fundamental rights of EU citizens.

Lastly, the Court noted that the EC’s decision finding that a third country ensures an adequate level of protection does not automatically mean that the EC’s determination is beyond review. Instead, the CJEU held that the national Data Protection Authorities (“DPAs”) within each EU member country can review petitions from individuals challenging the adequacy of transfers to third countries in accordance with the EU Charter and the Directive, but only the CJEU can declare EC adequate protection determinations invalid.

What to Do Now

We will provide additional analysis of the decision and its implications in the coming days.  In the meantime, we have the following suggestions for Safe Harbor-certified companies: First, the court’s decision should not stop most companies from continuing their activities in Europe – at least for the present time.  There are other circumstances in which data protection law currently allows businesses to transfer personal data to the United States.  Enforcement of the court’s ruling depends on individual data protection authorities.  They will now be charged with investigating how organizations are protecting personal data that is transferred to the U.S.  How quickly the DPAs react and what approach they take will be important in determining what companies should do.  DPAs generally have authority under national data protection laws to approve data transfers on an ad hoc basis that is independent of Safe Harbor and other mechanisms established at the European level.  Having a privacy policy for EU personal data that is based on the Safe Harbor principles can be part of an overall compliance program that satisfies DPA requirements for approving a transfer.

Second, organizations should begin reviewing their data transfers from Europe and determine which transfers rely on Safe Harbor.  It will be important to determine what country’s data protection regulator has supervisory authority over the entity making the transfer as data protection authorities may have different approaches.  For example, German privacy regulators may react differently than authorities in Ireland or the UK.  Also U.S. organizations will need to consider what U.S. suppliers they are using for hosting, analytics and other support services.  If personal data that has been received from a European entity has been later given to a U.S. vendor on the basis of the vendor’s Safe Harbor self-certification, a transfer agreement may be needed.

Third, organizations should get ready to respond to requests from their European partners and customers to take additional steps for personal data transfers to the United States.  U.S. businesses without a European subsidiary do not transfer data out of Europe themselves and therefore do not have direct obligations under the data transfer rules.  But even if it is a European affiliate making a transfer to a U.S. sister company, a European customer may be more likely to ask about data transfer compliance than a national DPA.

U.S. companies face a period of uncertainty with respect to European data protection compliance.  Many companies will need to consider additional compliance measures in order to satisfy European partners and regulators, such as using the model clauses for personal data exports adopted by the European Commission.  Existing arrangements involving data transfers should be reviewed with legal counsel to determine what additional measures should be put in place.  A new version of the Safe Harbor Framework may be possible, but because the CJEU has taken an uncompromising stand and offered no transition process most U.S. organizations with activities in Europe won’t be able to wait very long for new data transfer arrangements that can match the flexibility of the U.S.-EU Safe Harbor.