Life just got a lot more confusing, complicated and expensive for organizations that transmit personal data to the United States from the European Union (EU) under the frequently-used U.S. – EU Safe Harbor program. Why? Because the Court of Justice of the European Union (CJEU) just ruled that the Safe Harbor program is invalid, and created the possibility that transfer of personal data from the EU to the U.S. may have to be suspended on the ground that the United States does not afford an adequate level of protection of personal data. This ruling appears to be a direct result of European reaction to Edward Snowden’s 2013 revelations about the National Security Agency’s digital data surveillance programs.
For background on the Safe Harbor program and our earlier discussion of European criticism of its continued existence, please see our March 2015 article here.
Why Did the Court of Justice of the European Union Invalidate the Safe Harbor Program?
The EU Data Protection Directive provides that the transfer of personal data to a third country (e.g., the U.S.) may only occur if that third country ensures an adequate level of protection of the data. The CJEU invalidated the Safe Harbor program because it determined that the laws of the United States fail to ensure an “adequate level of protection” of personal data transferred from the EU. The CJEU concluded that “national security, public interest and law enforcement requirements of the United States prevail over the safe harbor scheme, so that United States undertakings are bound to disregard, without limitation, the protective rules laid down by that [safe harbor] scheme where they conflict with such requirements.”
In particular, the Court found that:
The United States safe harbour scheme thus enables interference, by United States public authorities, with the fundamental rights of persons, and the Commission decision does not refer either to the existence, in the United States, of rules intended to limit any such interference or to the existence of effective legal protection against the interference.
Additionally, the Court found fault with U.S. laws “permitting the public authorities to have access on a generalized basis to the content of electronic communications”, stating that such laws “must be regarded as compromising the essence of the fundamental right to respect for private life.”
Also troubling to the Court was the fact that U.S. laws do not provide “any possibility for an individual (e.g., an EU citizen) to pursue legal remedies in order to have access to personal data relating to him, or to obtain the rectification or erasure of such data, compromises the essence of the fundamental right to effective judicial protection, the existence of such a possibility being inherent in the existence of the rule of law.”
Finally, the EU high court ruled that the safe harbor program improperly denies EU data protection authorities the power to review challenges to the validity of data transfers to “third countries” (i.e., the United States).
The CJEU did note that that the Irish data authority is required to examine, with all due diligence, the complaint against Facebook that precipitated this case, “and at the conclusion of its investigation, … to decide whether, pursuant to the directive, transfer of the data of Facebook’s European subscribers to the United States should be suspended on the ground that [the U.S.] does not afford an adequate level of protection of personal data.” The entire CJEU decision can be accessed here.
What’s the Impact of This Decision?
In a word: unclear. For the time being, the Safe Harbor program is invalid in the judgment of the CJEU. Various commentators have noted that it is unlikely that EU data protection authorities will take immediate punitive action against private organizations that continue to transmit personal data from the EU to the U.S. under the guise of the Safe Harbor program – but there are no guarantees.
There were already efforts underway between the U.S. and the European Commission to modify the Safe Harbor provisions, and this may eventually lead to a “Safe Harbor 2.0” agreement. Such a revised program, if it occurs, will not happen overnight.
Other potential political solutions may be expedited as a result of the CJEU’s decision. For example, just last month the U.S. and EU finalized the terms of the so-called “Umbrella Agreement”, which puts in place a comprehensive high-level data protection framework for EU-U.S. law enforcement cooperation. The Agreement covers all personal data (for example names, addresses, criminal records) exchanged between the EU and the U.S. for the purpose of prevention, detection, investigation and prosecution of criminal offences, including terrorism. As explained in an EU press release, “the Umbrella Agreement will provide safeguards and guarantees of lawfulness for data transfers, thereby strengthening fundamental rights, facilitating EU-U.S. law enforcement cooperation and restoring trust.”
“Plan B” Considerations for Data Transfers from the EU to the U.S.
As we noted in our earlier article in March, without the Safe Harbor program, transfer of protected personal data from the EU to the U.S. is still possible – just more complicated, expensive and time consuming. Alternative methods exist under Article 26 of the Directive. Binding Corporate Rules (BCRs) or model contracts for the transfer of personal data outside the EU for every data transfer are options, but they are more resource (money and time) intensive and much less efficient than the Safe Harbor process.
As defined by the European Commission, BCRs are “internal rules (such as a Code of Conduct) adopted by multinational group of companies which define its global policy with regard to the international transfers of personal data within the same corporate group to entities located in countries which do not provide an adequate level of protection.”
U.S. companies could also choose to keep all personal data governed by the EU Data Protection Directive within the EU, by building data storage capacity within EU member states.
The fallout from the CJEU decision is still occurring, so stay tuned for further updates.
