European Union High Court Invalidates US/EU Safe Harbor for Data Transfers

October 6, 2015 Advisory

The European Union's highest court today invalidated the 15-year-old European Union/United States Safe Harbor Program (the "Safe Harbor"), which previously provided a basis for lawful cross-border transfers of personal data from the European Union to the United States.[1] While not entirely unexpected, the decision eliminates, in one stroke, a widely used data transfer arrangement that has served as a data privacy bridge between the conflicting privacy cultures of the European Union and the United States. Until such time as U.S. and European trade negotiations conclude a new framework for trans-Atlantic data flows (now in advanced negotiations), U.S. businesses that rely on the Safe Harbor to comply with EU privacy law in data transfers will need to assess their practices and consider substitute lawful means of transferring personal data from the EU to the US.

Background of the Schrems Case

In one sense, the Schrems decision is the sound of another large shoe dropping in the aftermath of Edward Snowden's revelations in 2013 of bulk data collection and surveillance by the U.S. National Security Agency ("NSA"). Maximillian Schrems, an Austrian privacy activist and Facebook critic, filed a complaint against Facebook before the Irish data protection authorities following reports that Facebook (and other U.S. internet and social media companies) had cooperated with the NSA's "Prism" program in its surveillance of personal data and communications of Facebook users (including European users)[2]. The Irish data protection authority rejected Schrems' complaint, but an appeal to the Irish High Court was granted in 2013. That Court, however, referred the matter to the European Court of Justice (the "ECJ") on the grounds that EU law preempted local law on the question of whether Irish data protection authorities could prohibit transfers of Schrems' Facebook data from Ireland to the United States. The ECJ addressed two questions raised by the Irish court: whether the Irish data protection authority is fully bound by the European Union Commission's finding in a 2000 decision that the Safe Harbor provides ‘adequate protection' to EU data subjects in the U.S., or whether the authority can investigate data subject complaints to the contrary. The ECJ addressed these in today's decision but went further and invalidated the entire earlier finding of adequate protection.

Highlights from the ECJ Decision

Today's decision to invalidate the EU Commissions' Decision 2000/520, which formally adopted the Safe Harbor, follows recommendations issued by the ECJ's Advocate General in September of this year. Key findings of today's decision include:

  • Broad, legalized U.S. governmental surveillance of personal data of European data subjects whose data moves to the U.S. under the Safe Harbor goes far beyond the types of limited government access exceptions that were built into the Safe Harbor. Such mass surveillance fundamentally conflicts with foundational human rights and fair information practice principles that undergird European data protection law.
  • U.S. companies participating in the Safe Harbor are nonetheless subject to and bound to cooperate with U.S. authorities, such as the NSA. European Union data subjects accordingly are without any effective rights of the type that were to be protected under the Safe Harbor.
  • All EU member country data protection authorities are empowered to provide a check on whether personal data transferred from their jurisdictions to a third country are compliance with the requirements of the EU Data Protection Directive.
  • Because Decision 2000/520 fails to address the protection of European data subjects from extensive, ongoing and generalized interference with their "fundamental rights" in the United States, the Decision is invalid. As a practical result, the Safe Harbor, which rests squarely on the Decision, is no longer recognized.

What Now for Safe Harbor Participants?

The full reach of today's High Court decision will unfold as EU data protection authorities take stock of their enforcement posture and as U.S. and EU trade negotiators try to complete a new framework in ongoing discussions with the U.S. Some immediate implications include the following:

  • The High Court's invalidation of the Safe Harbor is effective immediately, but the decision offers no direction on how affected U.S. participants can transition out of the old regime to other lawful substitutes. Immediate and broad-ranging enforcement by EU data protection authorities against current Safe Harbor participants seems unlikely, in part because these authorities may not be prepared for an avalanche of complaints by data subjects. EU member country data protection authorities will probably issue guidance in the near term. The United Kingdom's Information Commissioner's Office, for instance, released a statement on its website today urging affected businesses to check back to EU data protection authority websites for future guidance, noting:

"The judgment means that businesses that use Safe Harbor will need to review how they ensure that data transferred to the US is transferred in line with the law. We recognise that it will take some time for them to do this."[3]

  • The U.S. Department of Commerce and the Federal Trade Commission ("FTC"), which administered the Safe Harbor in the U.S., may also suggest measures for the thousands of U.S. businesses that have self-certified for participation in the program. As of today's decision, the FTC –which has recently pursued enforcement actions against dozens of U.S. businesses for failing to comply with the Safe Harbor –has been stripped of any ongoing basis to enforce the Safe Harbor.
  • U.S. businesses may no longer rely on the Safe Harbor for lawful transfer of EU personal data to the United States. Businesses that rely exclusively or primarily on the Safe Harbor program need to assess whether they can use other permitted ‘derogations' under the EU Data Protection Directive's adequacy requirement. These derogations include transfers:
    • where a data subject has given unambiguous consent to the transfer,
    • that are necessary to the performance of a contract between a data subject and the data controller, or necessary to conclude or perform a contract with a third party in the interest of the data subject,
    • required on important public interest grounds or in connection with legal claims, and
    • from certain public sources of data.

Note: The foregoing ‘derogations' permitting transfers of personal data to third countries that lack ‘adequate protection' tend to be construed narrowly by European data protection authorities and should be relied upon only after careful review of the circumstances. Businesses that have worked to create compliant Safe Harbor programs should not panic, but also should not simply hope that a new ‘Safe Harbor 2.0' will quickly come to the rescue.

  • In addition, U.S. businesses may consider using the EU model contract clauses for trans-Atlantic data flows with their EU-based affiliates and business counter-parties. Others may consider adopting the EU binding corporate rules ("BCRs") as a long-term solution (although the path to approval for BCRs can be long and costly).
  • Companies that rely on third parties (e.g., outsourcers, cloud service providers) who are ‘Safe Harbor' certified for the processing of personal data will want to understand how their service providers will be addressing any concerns raised by today's decision.

The European Union has played its hand in the long-pending trans-Atlantic discussion over improvements to the US/EU Safe Harbor. The resolution of the privacy debate on EU/US data flows will not be a ‘tweak' of a treaty that has been thoroughly invalidated. It remains to be seen whether and when a new Safe Harbor will arise from the ashes of the old. In the meantime, U.S. businesses that signed up for the Safe Harbor will need to find new ways to establish lawful transfers to the U.S of personal data from the European Union.