The Court of Justice of the European Union (“CJEU”), the highest court in the European Union, struck down the US-EU Safe Harbor process this week in a decision that will require companies to re-evaluate their compliance with laws governing cross border data flows.
The CJEU held that the 15-year-old “Safe Harbor” process in use by 4,500 companies no longer fulfills the objectives of the Data Protection Directive, the 1995 European law that says that the transfer of personal data to a third country may take place only if that third country ensures an “adequate” level of protection of the data.
The decision did not provide a grace period for companies to make changes to their internal policies to ensure they remain in compliance with European law. Any business that transfers or receives data about any EU citizen – whether customer data or internal employee data – should be aware of the decision and should plan to ensure they remain in compliance with all privacy and data protection laws.
Since 2000, the US-EU Safe Harbor has provided companies with a clear compliance method for ensuring that they do not run afowl of European data privacy laws when transferring personal data from the EU to the US. US companies handling EU data self certified that they complied with seven safe harbor principles for the protection of individual personal data. Enforcement agencies, including the Federal Trade Commission, would then monitor companies to ensure they complied with their commitments to privacy.
The latest case striking down the safe harbor process began with a 2013 complaint by an Austrian citizen, Max Schrems, who complained to the Irish data protection authority, the privacy regulator in Ireland, that Facebook was not complying with European law because of its cooperation with the National Security Agency. Relying on documents disclosed by former NSA contractor Edward Snowden, Schrems argued US law and surveillance policies did not provide sufficient privacy protections. The Irish data protection authority declined to investigate, citing the safe harbor arrangement.
This week’s CJEU decision reviewing the Irish data protection authority’s decision calls on the Irish agency to launch an investigation of Facebook’s cooperation with US officials. The decision also ends the safe harbor process.
The case sets a precedent that data protection authorities in EU member states are now obligated to consider private complaints: “where a person whose personal data has been or could be transferred to a third country … lodges with a national supervisory authority a claim concerning the protection of his rights and freedoms in regard to the processing of that data … it is incumbent upon the national supervisory authority to examine the claim with all due diligence.” The CJEU will have review power in resulting data protection authority enforcement actions.
Moreover, the court held that legislation such as the safe harbor program that permits “public authorities to have access on a generalized basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life.”
The decision comes at a time when the European Commission and the Department of Commerce have been engaged in negotiations over revamping the safe harbor process to better comply with European law without compromising US national security interests. It remains to be seen what the impact of the CJEU’s decision will be on these negotiations.
Steps to Take
Companies that collect, store, share, or receive data on European citizens in a manner that at any stage involves the transmission of the data outside the geographic borders of Europe must evaluate their practices to ensure that they remain in compliance with European data protection laws. During this period of transition away from the safe harbor process, companies cannot rely on the safe harbor to protect themselves from enforcement actions initiated by European data protection authorities.
Traditional alternatives remain available following this week’s CJEU decision. These include binding corporate rules (“BCRs”) that enable companies to internally transfer certain types of data with the approval of applicable European data protection authorities; and standard contractual clauses that allow European companies to send local customer data to US services, such as cloud services. Implementing these options can be difficult given that compliance requirements may be more strict than under the defunct safe harbor regime. This week’s decision also calls into question whether these alternatives will remain viable in the long term.
Despite new hurdles for businesses, the decision will likely lead to emboldened European data protection authorities. Companies doing business in the EU should prepare not only to comply with data protection laws but also prepare to provide proof of compliance to EU data protection regulators in the event of an investigation or inquiry.
Certain companies may be at increased risk of scrutiny. Companies that share data with US intelligence and law enforcement officials should evaluate how to continue to comply with US production orders while also adhering to European laws governing data of European citizens. US-based cloud providers should develop a strategy for maintaining compliance with EU law when contracting with and handling the data of European clients.
Businesses should consult with an attorney as they develop a plan to comply with all European data privacy requirements and manage risk that results from this week’s CJEU decision. If you have any questions or to request an evaluation of your data transfer policies, please contact Linda McReynolds at firstname.lastname@example.org.