The Court of Justice of the European Union has issued a landmark judgment in Schrems v Data Protection Commissioner (Case C-362/14) that invalidates the Federal Trade Commission’s (FTC) Safe Harbor Framework. The decision has significant practical implications for U.S. companies that rely on this scheme to transfer personal data from the EU to the United States.
- The Safe Harbor framework was one of the most frequently used mechanisms for transferring personal data from the EU to the U.S. U.S. companies must now find other solutions to transfer such data, such as adopting model data transfer agreements approved by the European Commission.
- The decision by the EU’s highest court, the Court of Justice of the European Union (CJEU), applies to all U.S. companies that rely on Safe Harbor to transfer personal data to the U.S. and cannot be appealed.
- The FTC and Congress are reviewing the CJEU’s decision, and discussions continue about potential legislation to address the concerns raised by the decision. EU data protection regulators are also in emergency meetings to consider the implications of the decision.
Transfers of Personal Data
Under the European Union Data Protection Directive, personal data may only be transferred outside of the European Union to those countries that ensure an ‘adequate’ level of protection of the data. While certain countries have been designated as being adequate; the U.S. has not.
While the EU and U.S. both provide extensive protection for personal privacy, their approaches are very different. To bridge the gap, in the late 1990s, the U.S. Department of Commerce — in consultation with the European Commission (the EU’s executive body) — developed the Safe Harbor framework to provide a method for U.S. companies to transfer personal data outside the European Union in a way that was consistent with the EU Data Protection Directive. In 2000, the EU Commission decided (Decision 2000/520) that transferred data would be “adequately” safeguarded if a U.S. company undertook a self-certification process to comply with the Safe Harbor principles. Therefore, Safe Harbor was often a first choice option for U.S. companies.
Since then, there have been three principal ways of ensuring ‘adequate’ protection:
- Data transfer agreements incorporating standard contractual clauses mandated by the European Commission
- Binding Corporate Rules, a set of internal rules adopted by global companies to govern intra-group transfers between companies, which have been approved by European data protection authorities as offering an adequate level of protection for personal data
- Through the recipient’s Safe Harbor certification for transfers to the U.S.
As a result of the Schrems decision, the third option is no longer available.
Facebook and the Challenge to the Irish Regulator
Like many U.S. corporations, Facebook Inc. organizes its EU operations around its Irish subsidiary. Facebook users in the EU enter into a contract with Facebook Ireland which permits personal data to be transferred for processing in the U.S. on the basis of the Safe Harbor principles.
In June 2013 an Austrian student, Max Schrems, requested that the Irish Data Protection Commissioner exercise statutory powers to prohibit the transfer by Facebook Ireland of his personal data to the U.S. — on the basis that U.S. law and practice did not ensure adequate protection against surveillance activities by public authorities following the Snowden revelations. The Irish Data Protection Commissioner refused to intervene, on the basis that EU Commission Decision 2000/520, finding Safe Harbor adequate, could not be overruled. In reviewing the decision, the Irish High Court referred the issue to the Court of Justice of the EU, which ensures that EU law is interpreted consistently in every EU member country.
The Decision of the Court of Justice of the European Union
The CJEU held that the Commission Decision 2000/520 does not eliminate, or even reduce, the powers available to the national supervisory authorities, including the power to investigate the propriety of data transfers.
Specifically, the CJEU found that, when looking at a claim brought by an individual, a national supervisory authority must be able to examine, with complete independence, whether the transfer of a person’s data to a third country complies with the Directive. In addition, the CJEU found that the Safe Harbor Decision was itself invalid.
Why Is Safe Harbor Invalid?
The CJEU held that the EU Commission was required to assess whether the U.S. ensures, by reason of its domestic law or its international commitments, an adequate level of protection for privacy. In the CJEU’s view, the Commission did not make such a finding, but merely examined the Safe Harbor scheme.
In particular, the CJEU noted:
- The Safe Harbor scheme only applies to U.S. companies which sign up to it; U.S. public authorities are not required to comply with Safe Harbor principles
- In case of any conflict between U.S. law and Safe Harbor principles, organizations must comply with U.S. law
- The Safe Harbor principles are subject to a broad derogation on the basis of national security, public interest or law enforcement requirements, which does not provide adequate protection for individuals’ fundamental privacy rights
- The Commission Decision 2000/520 does not refer to the existence of any rules intended to limit or protect against such interference
There is nothing in the CJEU’s decision to indicate misuse by any of more than 4,000 companies that have signed up to the Safe Harbor principles. The decision relates solely to potential access by government bodies, which is usually outside of the control of commercial organisations.
The CJEU decision is ultimately a political issue that must be addressed on a government-to-government basis. In the meantime, U.S. companies that have relied for years on Safe Harbor must now consider the implications of the decision for their businesses and determine next steps.
Do we need to stop transfers?
In practical terms, U.S. companies based in Europe will not be able to stop transferring their data to the U.S. in favor of conducting all of their data processing in data centres in the EU. As a result, short-term solutions will need to be implemented in the form of Model Contracts. Obtaining consent from data subjects and anonymizing data may also provide some relief, although some countries remain skeptical of the validity of consent. In the longer term, Binding Corporate Rules should be considered by U.S. companies, particularly as many corporations which have fully implemented the Safe Harbor principles will, in practice, have complied with much of what is required for Binding Corporate rules.
Will we get sued?
Enforcement of EU privacy laws is the responsibility of the national supervisory authorities. There are different approaches in different countries, although most regulators have the power to impose fines, conduct investigations and issue enforcement notices requiring companies to take action. Early indications are that the U.K. regulator intends to adopt a commonsense approach, recognizing that it will take some time for businesses to review and modify their data transfer arrangements.
Many EU member states and national data protection regulators have expressly approved transfers on the basis of Safe Harbor. The national data protection regulators are currently considering the implications of the decision, and it is possible that a uniform approach will emerge. It is unclear whether any solution will include a standard grace period for compliance.
Any U.S. company that engages in, or is likely to engage in, transfers of personal data from the EU into the United States should understand the implications of this decision. In the short term, companies should consider immediately implementing data transfer agreements, including provisions mandated by the European Commission. Other options may also be available depending on the specific data being transferred and the countries at issue.