Companies Must Find Alternative Means of Transferring Personal Data from Europe After the European Union’s Highest Court Declares U.S.-EU Safe Harbor Invalid
The Court of Justice of the European Union (CJEU) issued a ruling yesterday invalidating the Safe Harbor Program established by the European Commission (EC) in 2000. The Safe Harbor Program had previously allowed U.S. companies to transfer EU citizen data to the U.S. through a voluntary self-certification program. As a result of the decision on October 6, 2015, each member state of the EU may now determine whether the Safe Harbor Program constitutes “adequate” protection for EU citizen data. Since it is unlikely that the courts of any EU member state would take a position contrary to the CJEU’s decision, companies wishing to transfer EU citizen data to the U.S. may face the burden of complying with the individual data-protection laws of each EU member state.
The Safe Harbor Program was established by the EC in 2000 to facilitate the transfer of EU citizen data (e.g., human resources or employee benefits information) to the U.S. Under Article 25 of EU Data Protection Directive, EU citizen data may only be transferred to countries that provide “adequate” protection for such data. While the U.S. has never been recognized by the EC as one of the eleven countries that provide the required “adequate” protection, the Safe Harbor Program allowed companies to transfer EU citizen data to the U.S. through a voluntary self-certification program. Under this framework, a company wishing to use the Safe Harbor had to certify its compliance annually with the U.S. Department of Commerce and adhere to seven data-protection principles: (1) notice, (2) choice, (3) onward transfer, (4) access, (5) security, (6) data integrity, and (7) enforcement.
Over 5,000 companies have used the Safe Harbor since its inception. However, in light of the controversy surrounding the collection of data by U.S. intelligence agencies, such as the NSA, the Safe Harbor has recently come under criticism. This issue was brought before the CJEU in 2014 by an Austrian law student, Maximillian Schrems, who argued that, because of the unrestricted access to data by U.S. intelligence agencies, the Safe Harbor does not actually provide “adequate” protection of EU citizen data. Mr. Schrems had originally brought his case as a challenge to Facebook’s compliance with EU data-privacy rules in Ireland, but the case was appealed to the CJEU after Ireland’s data-protection authority rejected Schrems’ challenge. The question at issue before the CJEU was whether the Irish data-protection authority must follow the EC’s official decision that the Safe Harbor provides “adequate” protection. On September 23, 2015, the CJEU Advocate General, Yves Bot, issued an influential but non-binding opinion on this case, recommending that the Safe Harbor Program be struck down because it does not provide the requisite level of protection. The CJEU’s October 6, 2015 decision concurs with the Advocate General’s opinion.</p>
In reaching its decision to strike down the Safe Harbor Program, the CJEU found that the Safe Harbor enables “interference” between the national security interests of the U.S. and the “fundamental rights” of EU citizens whose personal data may be transferred to the U.S. Furthermore, the CJEU reasoned that the Safe Harbor allowed “national security, public interest, or law enforcement requirements” to trump the requirements of the Safe Harbor, but contained no mechanism to limit the reach of these requirements. Finally, the CJEU found that the Safe Harbor offered no avenue of redress for EU citizens and failed to allow individual EU data-protection authorities the right to review actions challenging the data transfer between a member state and another country.
What This Means for You
It is important to note that the CJEU’s decision does not expressly prohibit the transfer of EU citizen data to the U.S. under the Safe Harbor. But each EU member state now has the ability to determine whether the Safe Harbor provides “adequate” protection or is otherwise illegal under the data-protection laws of that member state. Because this case was originally brought in Ireland, that is the first member state expected to rule on this issue. However, it is likely that Ireland and other EU member states will side with the EU’s highest court. This means that companies wishing to transfer EU citizen data to the U.S. may have to undertake the potentially complex task of complying with the individual data-security laws of each separate member state, instead of complying with one set of requirements under the Safe Harbor.
There are other possible solutions to the challenges presented by this decision. First, a company can avoid transferring data from the EU to the U.S. by keeping all EU data on servers located in the EU. For companies with servers already located in the EU, such as Facebook, this may be a viable option. For other companies without such resources, building new server locations may not be feasible. Second, a company may use model contracts, which have been approved by the EC, to govern EU-U.S. data transfers. Unfortunately, because these model contracts are two-party instruments, they may not be useful, especially for data-transfer arrangements involving multiple parties (e.g., transfers involving outsourced service providers). Third, company transfers of personal data to non-EU countries may be made if the individuals whose data is being transferred provide unambiguous consent to the transfer, preferably in writing. Note, however, that the transferred data may only be used for the specific purpose authorized by the individuals’ consent, and the consent may be revoked. Fourth, and finally, a company may seek approval of a proposed set of internal data-protection rules from applicable EU member states — i.e., so-called “binding corporate rules.” However, this approach also has drawbacks, as the approval process can sometimes take years.
This decision does not necessarily mean that no safe harbor program is valid between the U.S. and EU — a new program could certainly be implemented. Negotiations have been pending between the U.S. and EU since 2013 to shore up the requirements of the old Safe Harbor and to implement additional protections against access to EU citizen data by U.S. intelligence agencies. The CJEU’s decision today will likely re-energize these slow-moving negotiations, and we may see a new and improved Safe Harbor in the future. Until then, companies are left to deal with the potential burdens of EU-U.S. data transfer without a dependable Safe Harbor framework.
This information is provided by Vinson & Elkins LLP for educational and informational purposes only and is not intended, nor should it be construed, as legal advice.