Summary
The European Court of Justice (“ECJ”) has ruled that the 15-year-old Safe Harbor Data Protection Framework (“Safe Harbor”) between the United States and the European Union (“EU”) is invalid. According to the ECJ, it does not matter how carefully companies secure EU personal data, because the federal government may be accessing the EU personal data the U.S. companies receive. The demise of the Safe Harbor means American companies must find other legal avenues for bringing EU personal data to America, such as model contracts and binding corporate rules.
Background
In 1995, the EU adopted Directive 95/46/EC (“Directive”) which, beginning in 1998, generally prohibited the transfer of personal data from Europe to countries that do not assure an “adequate” level of legal protection. The EU found that the United States does not provide “adequate” protection to personal data, and thus the Directive would have prohibited the transfer of such data. To work around this problem, the U.S. Department of Commerce and the European Commission (“EU Commission”) agreed to the Safe Harbor framework. Under the Safe Harbor, companies could transmit personal data to U.S. companies that annually certify their compliance with the Department of Commerce. If a company promises to comply but fails to do so, it can be subject to an enforcement action by the Federal Trade Commission. In Europe, the company could be subjected to enforcement by the relevant data protection authority (“DPA”).
The validity of the Safe Harbor came under attack in the case of Maximillian Schrems v. Data Protection Commissioner. Schrems, who was an Austrian citizen, filed a complaint with the Irish Data Protection Commissioner (“DP Commissioner”) alleging that the laws of the United States do not adequately protect personal data. He asked that Facebook Ireland be prohibited from transferring his personal data to the United States. The DP Commissioner rejected Schrems’ complaint, finding that the EU Commission had irrefutably established the adequacy of protection in the United States when it adopted the Safe Harbor. Given that, the DP Commissioner felt he had no jurisdiction to investigate the complaint. Schrems then filed an action in the High Court of Ireland to challenge the DP Commissioner’s decision.
The High Court of Ireland concluded (based largely on revelations made by Edward Snowden) that the federal government carries out “indiscriminate surveillance and interception… on a large scale.” The court further concluded that such “mass and undifferentiated accessing of personal data” was incompatible with Irish law. However, the High Court questioned whether it was bound to accept the finding of the EU Commission in the Safe Harbor that the United States does in fact provide adequate protection or whether the DP Commissioner could investigate if the United States in fact provides adequate protection. The High Court referred this question to the ECJ.
The ECJ ruled that (1) the Safe Harbor does not prevent the DPAs in the EU (in the Schrems case, DP Commissioner of Ireland) from examining whether the U.S. adequately protects personal data, and the ECJ has the final say on that question and (2) the Safe Harbor is invalid. This means that, even if the EU and the U.S. were to adopt a revised Safe Harbor, the various DPAs in Europe could challenge the new Safe Harbor in the future. More importantly for the moment, the case means U.S. companies can no longer rely on the Safe Harbor to transfer personal data about their EU customers or employees to America.
October 15, 2015 Statement of Article 29 Working Party
Article 29 of the Directive established the Working Party on the Protection of Individuals with Regard to the Processing of Personal Data (the “Article 29 Working Party,” or “Working Party”). The Article 29 Working Party is an independent advisory panel that is tasked with providing expert advice to the EU Commission on questions of data protection.
In a statement that it released on October 15, 2015, the Working Party made it clear that any transfers made in reliance on the Safe Harbor after October 6, 2015 are unlawful. The working party also said that it intends to provide “direct information” to companies that it knows previously relied on the Safe Harbor.
Alternatives to Safe Harbor
The Safe Harbor was not the only way to transfer data from Europe to the United States. The other methods available are (1) unambiguous consent given by the data subject, (2) model contracts, and binding corporate rules. Model contracts contain standard contractual clauses, and may have to be filed with (notice filing) or approved by the relevant DPA. Binding corporate rules are legally binding internal corporate privacy rules for transferring personal information within a corporate group. They generally must be approved by the relevant DPA.
In its October 15, 2015 statement, the Article 29 Working Party said model contracts and binding corporate rules may still be used to transfer data to the United States. Nonetheless, a DPA may investigate particular cases, such as where a complaint is filed. Although the Working Party is only an advisory body, its members are composed of representatives from DPAs for the EU Member States. Accordingly, the statement should be reasonably reliable. However, the statement indicated that if a resolution is not reached with the United States by January 31, 2016, the DPAs will “take all necessary and appropriate actions, which may include coordinated enforcement actions.”
The EU and the United States are working to develop a revised Safe Harbor, which will hopefully be available soon. Until then, companies that receive data from Europe should consider using model contracts or binding corporate rules, even if only for the interim period.
View Document(s):
