EU–U.S. Data Protection Safe Harbor: Not Safe Anymore
On October 6, 2015, the European Court of Justice ("ECJ") invalidated the European Union–United States data protection safe harbor (the "Safe Harbor"). In its decision in Case C-362/14 Maximilian Schrems v Data Protection Commissioner, the ECJ invalidated the Safe Harbor because it failed to provide an adequate level of protection to personal data transferred from the EU to the U.S., as required by the EU Data Protection Directive 95/46/EC. A press release summarizing the decision can be found here.
The Safe Harbor was implemented by agreement between the U.S. government and the EU Commission in 2000, and since then more than 4,000 U.S. companies have signed up to the Safe Harbor in order to receive electronic data from the European Union. As a result of this decision by the ECJ, international data transfers cannot continue to be made by customers and businesses in the EU to U.S. companies on the basis of the Safe Harbor.
Following the Advocate General's view in his September 23, 2015 opinion, the ECJ furthermore made clear that the data protection authorities in Member States must be able to examine whether a data transfer to a third country is in compliance with the requirements of the EU Data Protection Directive, even if a Commission decision (like in case of Safe Harbor) has been adopted. However, only the ECJ itself shall have jurisdiction to declare the Commission decision in question invalid. In finding that Member State data protection authorities have such powers, the ECJ may have opened up a new era of intervention by Member State data protection authorities with respect to other Commission decisions, including the EU Standard Contractual Clauses. However, uniform application of the law seems to remain ensured by the fact that only the ECJ shall have the ultimate decision regarding the validity of the challenged Commission decision.
The Schrems case arose from a challenge by Austrian law student Maximilian Schrems to the determination by the Irish Data Protection Commissioner that the existence of the Safe Harbor precluded the Irish agency from stopping Facebook's data transfers from Ireland to the U.S., even though Facebook was allegedly providing information to the U.S. intelligence services in violation of EU data protection laws. Following the opinion of the Advocate General, the ECJ concluded that the Safe Harbor did not offer the requisite protections and that the Safe Harbor arrangements should therefore be ended.
As for the annulment of the EU Data Retention Directive in 2014,[1] the ECJ decision in the Schrems case highlights again how quickly changes can come on data protection laws once the ECJ is ready to pronounce on them.
All companies using Safe Harbor as a basis for their data transfers to the U.S. (including in their agreements with suppliers) must review such transfers and ensure that another valid basis to provide for an adequate level of data protection is found. While the ECJ did not grant a grace period to companies transferring data on the basis of the Safe Harbor to adapt to this drastic change, data protection authorities in Member States might consider adopting a grace period before they start enforcing measures against companies that have not yet implemented alternative transfer instruments. Whether this option exists will, however, need to be verified with the local authorities in each Member State. The most relevant alternative transfer solutions readily available for companies in this situation are EU Standard Contractual Clauses. Other options, like consent of the data subjects, might also be considered, depending on the situation. Adopting Binding Corporate Rules is rather complex and time-consuming and thus not suitable as a "quick fix" solution but should be kept in mind as a possible mid- and long-term solution.
The ECJ decision will certainly have a strong influence on the ongoing negotiations between the EU and U.S. to amend the Safe Harbor's terms, now possibly conducted with a view to reinstate the Safe Harbor. Reinstating the Safe Harbor, however, will inevitably require Safe Harbor registrants to significantly bolster the protections they provide to personal data arriving from the EU.
In any event, further radical change is coming soon, with the final version of the new EU General Data Protection Regulation expected to emerge from the Trilogue process at the end of this year or early next year. The last few days have been a clear and dramatic reminder to international companies that they must keep data protection and cybersecurity issues high on the boardroom agenda.