Data Protection: EU-US Safe Harbor declared invalid by EU court
In our recent update, we reported that the Advocate General (“AG”) to the Court of Justice of the European Union (“CJEU”), the highest court in the EU, gave an opinion that “safe harbor” should be declared invalid and that local regulators could investigate transfers purportedly made under that mechanism.
The CJEU has today followed that advice (albeit on different grounds) and declared Safe Harbor invalid.
This decision creates significant repercussions for EU to US data flows. This note sets out our immediate reaction and thoughts; we will follow up on this with a fuller discussion when the main players (the EU commission, the US Government, and the data protection regulators) have commented.
What is Safe Harbor?
Data protection law in the Europe Union is harmonized and each member state provides that personal data may not be transferred outside Europe unless the data controller assures an ‘adequate level of protection’.
Until this present decision, pursuant to a European Commission decision from 2000, Safe Harbor was one of a number of mechanisms available to European entities to ensure that mechanism when the recipient was a US entity. US entities could self-certify that they adhered to the seven Safe Harbor principles and makes a public declaration of this adherence. Failure to adhere to the principles would lay a member open to enforcement by the FTC bringing deceptive trade practices charges.
4,400 US companies have self-certified to the scheme.
Background to the Case: Schrems v Data Protection Commissioner of Ireland
A fuller background to the case is in our earlier update. In brief, Facebook in Ireland sent data to its US servers. Maximillian Schrems, an Austrian Facebook user, complained to the Irish Data Protection Commissioner (“Commissioner”), alleging that “indiscriminate and mass” access to data by the US intelligence service (revealed by Edward Snowden) meant that Safe Harbor could not be relied upon to protect European data. The Commissioner refused to investigate and so proceedings were brought in the Irish High Court by Mr Schrems against the Commissioner, in effect trying to force him to investigate Facebook. The High Court referred the matter to the CJEU.
The CJEU
As set out in our earlier update, the AG advised the CJEU to declare Safe Harbor invalid and also to confirm that local data protection authorities were not, in any case, prohibited from investigating data transfers because of a Commission "adequacy" decision. In the majority of cases, CJEU judgements follow the AG opinions so, although controversial, this decision was widely expected. What is surprising though is the shortness of the gap between opinion and judgment. It would normally be a few months but here it has been less than two weeks.
The CJEU held:
- Safe Harbor is invalid. The AG had criticized US legal protection in relation to what he termed “mass and indiscriminate surveillance”. The CJEU was more judicial in its tone. Whilst there was some criticism of US legal protections, that is not the main thrust of the challenge. Instead, the CJEU found, the Commission was simply not authorized to find Safe Harbor adequate since the legislation only allowed the Commission to look at the laws as a whole in a particular country. This finding may have repercussions in terms of trying to fix Safe Harbor by renegotiating it.
- The national data protection authorities do have the right to investigate transfers made under Safe Harbor. They are not bound by Commission “adequacy" decisions.
What does it mean for companies sending data to Safe Harbor members?
It will take a little while for the dust to settle, and no doubt there will be urgent EU-US governmental negotiations as to how to resolve the situation. We discuss some other developments below.
However, in the meantime, European entities can no longer rely on Safe Habor as a means for ensuring data transfers are lawful under European data protection laws. This applies to all types of data including employee data and customer data.
Instead, they will immediately need to consider putting in place an alternative method for legitimizing the transfer under the European rules:
- Putting in place certain types of data transfer contracts (on EU sanctioned “standard clauses”);
- Putting in place “binding corporate rules”; and (If the exporting entity is a UK company) undertaking a “self-assessment” as to the protection of the data in the hands of the recipient.
We provide some detail of these mechanisms (in the context of sending data within a group) in this white paper.
What does it mean for US companies that are members of Safe Harbor.
It should be emphasised that a US member of safe harbor is not acting unlawfully simply because the scheme is declared invalid under European rules. The restriction on sending data to the US applies to the European “exporters” of data, not to the US recipient. However, US companies that have joined safe harbor with a view of reassuring these European exporters and providing a solution for their compliance needs will have to revisit the situation. There are two broad categories of “Safe Harbor” recipients. First, US service providers who are in Safe Harbor because they deal with a European customer base. Some of these have already faced demands to leave data in European data centres, and unless there is a swift political solution these demands are likely to increase. This is not a quick solution of course and in the short term, they may well be faced by demands from their EU customers to put in place other compliance methods (such as “standard clauses” just mentioned). Secondly, US companies who are in Safe Harbor because they are members of a multinational group where data is shared throughout that group (perhaps because of the provision of a centralized infrastructure from US data centres or centrally managed HR functions). Here, again, a quick solution is likely to be to put in place “standard clauses”. What does it mean for US companies that use other methods for legitimizing transfers to the US? The CJEU criticism of the Commission’s Safe Harbor decision is narrower than that in the AG opinion. The fear that had been expressed that other methods are immediately at risk seems to have receded. However, the finding that local regulators are not hindered by other Commission adequacy decisions is also an important part of the decision and cross-border data flows are now open to scrutiny on a case-by-case basis. It is hoped though that most regulators will, until any other method is declared invalid, honor Commission findings (for example, in relation to contracts).
The wider context
Safe Harbor was in the process of being renegotiated between the US and the EU and this judgment will inevitably feed into that process. In June 2015 the EU and the US reaffirmed their commitment to reach an agreement, however there is no firm timetable for concluding their negotiations. Statements by Věra Jourová, the EU Justice, Consumers and Gender Equality Commissioner, indicate the issue of national security exemptions is a sticking point for both sides. A spanner in the works though is the criticism of the judgment that the Commission was simply not empowered to agree Safe Harbor (which would presumably include any renegotiated Safe Harbor).
This may only be capable of being fixed by means of new legislation.
As is well known, the EU is currently in the process of renewing its wider data protection legislation with the adoption of a Data Protection Regulation. A text for this was expected to be finalized by the end of 2015 or early in 2016 (although there have been earlier slippages). It will be no surprise if the decision in the Schrems case delays this progress as legislators in Europe are likely to try and deal with the issue in a manner that will survive future CJEU scrutiny.