The US Safe Harbor scheme has been declared invalid by the Court of Justice of the European Union (CJEU) in Case C-362/14 Maximillian Schrems v Data Protection Commissioner following the recent opinion of Advocate General Bot.
This decision is hugely significant for companies that rely on Safe Harbor as a simple and cost-effective legally compliant mechanism to transfer European personal data to group companies or suppliers in the US. Technology, telecommunications and cloud companies which have been key in enabling the digital revolution and which have benefitted from the free flows of European customer data to the US will be hardest hit. Now companies will need to consider additional compliance steps to ensure an adequate level of protection for EU-US data transfers, or face potential regulatory action.
In this note, we explain what the judgment means for businesses and the steps which they can take to ensure compliance with European law in their EU-US data transfers.
In 2013, Edward Snowden leaked details of mass surveillance activities of European individuals undertaken by US authorities, which were widely viewed as violating European rules. In the wake of these revelations, privacy activist Maximilian Schrems complained to the Irish Data Protection Commissioner (Irish DPC) about the transfer of data from Facebook Ireland to servers in the US.
Schrems argued that US authorities’ access to users’ personal data meant that Facebook did not ensure an adequate level of protection as required by European law and he asked the Irish DPC to investigate. This was refused as the transfer was made under Safe Harbor – a mechanism for EU-US data transfers that the European Commission had already deemed to be adequate (Decision 2000/520).
Schrems appealed the decision to the Irish High Court, which asked the CJEU whether national data protection authorities are bound by adequacy decisions of the European Commission or alternatively whether they may and/or must conduct their own investigations in certain circumstances.
The CJEU has now decided that:
- Safe Harbor is invalid;
- Mass and indiscriminate surveillance activities by US authorities is a violation of the Data Protection Directive and the fundamental rights afforded to European citizens under the Charter of Fundamental Rights of the EU; and
- A data protection regulator must be able to exercise its independence to suspend a transfer if it finds that the protections offered to European individuals are inadequate – i.e. it is not necessarily bound by a European Commission decision of adequacy.
Thus, the decision essentially follows the non-binding opinion of the Advocate General, Yves Bot, who advised the CJEU that Safe Harbor was invalid on 23 September 2015.
The Commission’s response
In response, the Commission has already confirmed that negotiations with the US for a “safer” Safe Harbour Framework will continue. It is also committed to working together with the Article 29 Working Party and the national data protection authorities to achieve a uniform application of the CJEU’s decision across EU Member States.
What this means
US technology companies will have to increase protective measures
Businesses which have previously relied on Safe Harbor to ensure an adequate level of protection face an uncertain period during which they will need to adopt alternative solutions. Regulators are likely to require robust evidence that data is being protected and will very likely demand additional protective measures be put in place for data transfers to the US – such as Binding Corporate Rules (for intra-group transfers) or European Commission approved model clauses – at least until a new Safe Harbor framework is agreed.
The timing for the requirements of additional measures and guidance by regulators is currently unclear. However, while the Safe Harbor option has been rendered invalid with immediate effect, businesses should bear in mind that Binding Corporate Rules can take months to receive regulatory approval, and even model clauses need to be filed and approved by regulators in some parts of the EU.
Greater scrutiny by regulators
Regulators may independently scrutinise and suspend international transfers if there are doubts about adequacy. With this high-profile decision, European activists and motivated individuals may potentially deluge companies with questions about where their data is transferred using existing rights. Individuals may also make complaints to regulators and demand action, putting pressure on regulators to enforce European data protection law against non-compliant companies.
Regulators are not generally sufficiently resourced to handle significant increases in complaints and are expected to promptly release new guidance on the steps which they suggest companies take to ensure compliance. Companies who have previously relied on Safe Harbor will quickly need to digest and then take account of any new guidance. Companies will also need to undertake additional due diligence on EU-US data transfers to ensure adequate protection and that there are no violations by their US data processors, or face potential regulatory action.
Implications for other European Commission decisions
Given that the CJEU has emphasised that a data protection regulator should always be able to exercise its independence in relation to Safe Harbor, similar considerations are likely to apply to other European Commission decisions as to adequacy (e.g. in relation to specific jurisdictions such as Israel and New Zealand, and in respect of other transfer solutions such as EU-approved model contracts).
These give rise to the possibility that European activists and motivated individuals may raise further complaints with regulators about other specific arrangements, which regulators will then need to investigate. Further, regulators may well increase their scrutiny of data transfers to all destinations because, in principle, some of the deficiencies adjudged by the court to exit with the Safe Harbor framework could apply to other solutions as well.
Renewed pressure on political discussions between EU and US for a revised Safe Harbor framework
The decision will put extra pressure on the EU and US to accelerate on-going discussions between the EU and US for a revised Safe Harbor framework and/or other EU-US arrangements to address the issues identified (namely the perceived disproportionate access to European individuals’ personal data by US authorities without any rights of recourse for affected individuals). Further, even once agreed, that framework or arrangements will still be subject to review by national data protection regulators who may decide to suspend transfers if they are not convinced that the measures are adequate.
Practical steps you can take to ensure on-going compliance
• Carry out due diligence: Investigate the actual measures that your US-based recipients of data have in place to provide an adequate level of protection for personal data that you control. Understand whether or not these involve Safe Harbor.
• Revise your data processing agreements: Include additional contractual obligations to ensure that appropriate compliance steps are included and to require your data processor to help you with information and assistance if a regulator investigates your data transfer arrangements.
• Keep an eye out for new regulator guidance: Regulators are likely to issue new guidance on what constitutes “adequacy” under local law and the action that the regulator will take if this standard is not met. Bear in mind that this guidance may vary by regulator/country.
• Be proactive and put in place alternative data transfer solutions now: These include approved EU model contracts or Binding Corporate Rules.
• Check for alternative data processing options: Verify whether your data processor offers processing solutions which do not require a transfer of personal data to entities relying on Safe Harbor.
The CJEU judgment is available here.