Court Invalidates US-EU Data Transfer Safe Harbor Program

Goodwin
Contact

The European Union’s highest court has, effective immediately, invalidated the US-EU Safe Harbor program relied upon by many companies as the basis for lawfully transferring and processing personal information from the EU to the United States. The October 6, 2015 decision by the Court of Justice of the European Union (CJEU) held that:

  • The 2000/520 European Commission Decision that established the US-EU Safe Harbor is invalid and has been stricken down, based on its exceptions for government access to personal data; and
  • EU national authorities have the power to investigate any claim that personal data subject to European laws is being transferred to a third country, like the United States, which has not been deemed to provide adequate protection to the data, and potentially to suspend such data flows.

Companies that have been relying on the Safe Harbor should promptly evaluate options for addressing this development. As described below, those options include alternative grounds for the authority to make data transfers and limitations on the data that are transferred. Goodwin Procter LLP will be holding an informational Webinar to provide more insights into the decision and its practical impacts on companies on Friday, Oct. 9, at 2 p.m. EDT.

The Case and Decision

An Austrian national complained that Facebook’s Irish subsidiary transferred his personal data to the United States, where it was then capable of being accessed by the National Security Agency and other agencies. The Irish Data Protection Commissioner refused to investigate the complaint because the company was certified under the Safe Harbor program. The CJEU has now declared the Safe Harbor to be invalid and has sent the case back to the Commissioner, who will decide whether to suspend data flows between Facebook Ireland and Facebook USA.

What Should Safe Harbor Participants Do?

Given the Decision, adherence to the Safe Harbor is no longer sufficient to ensure the legitimacy of transfers of personal data from the EU to the US. Although this leaves any entity that relied solely on Safe Harbor exposed to possible claims that its data transfers are unlawful, we expect many regulators to allow companies some time to reorganize their programs and implement alternatives. Companies thus should promptly evaluate, identify, and prioritize data transfers for which they relied on the Safe Harbor, and should identify alternative or additional compliance mechanisms. Companies also should be prepared for less leeway in countries, such as Germany, where the Safe Harbor has long been subject to scrutiny.

There are various possible alternatives to the Safe Harbor. The best solution for any company will depend on its particular circumstances, and thus needs to be determined on a company-by-company basis in an informed manner. The alternatives include, among others:

  • Consent. EU data protection laws permit the transfer of personal data where the individual has given his or her specific, informed, and freely-given consent to the transfer of his or her personal data.
  • Model clauses. Companies exporting and importing EU personal data may rely on standard contractual clauses that have been approved by the European Commission. Companies will have to go through the time and expense of entering into the appropriate model clauses agreement with each EU data exporter.
  • Binding Corporate Rules (BCRs). BCRs are an alternative compliance mechanism for companies sharing personal data with US group companies only. Because BCRs apply only to group companies, they are not appropriate for all data transfers.
  • Anonymization of personal data. Companies may also consider whether there is an actual business need to transfer personal data from the EU to the US. If companies can rely on anonymous data instead of transferring actual personal data, that data would fall out of the scope of EU data protection laws.
  • An Eventual Safe Harbors Replacement? There is hope for a Safe Harbor 2 accord and discussions towards this end are already far advanced. If such discussions are successful, companies that had relied upon the Safe Harbor may have a new self-regulatory regime in which to participate.

Further Implications

The decision by the CJEU will have additional far-reaching practical consequences:

  • Existing commercial relationships, especially between data controllers and data processors (service providers to data controllers), will likely receive close scrutiny as controllers seek to ensure that any work done on their behalf meets applicable legal requirements. In many instances novel or unusual business models or industries that have thrived under the Safe Harbor program may face significant regulatory uncertainty and risk because alternatives may be difficult or impossible to implement.
  • Pan-European approaches to compliance will continue to be challenging. Fragmented, country-by-country decision-making will continue at least in the near future, increasing legal costs and hindering market entry.
  • Government surveillance programs will continue to have dramatic consequences for international commerce and for Internet and related technology developments.
  • Many of the benefits of a free and open Internet may be threatened by or disrupted by decisions that encourage data localization and discourage free cross-border flows of information.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Goodwin | Attorney Advertising

Written by:

Goodwin
Contact
more
less

Goodwin on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.