The initial reports of the ECJ’s decision in the Schrems Safe Harbor case (C-362/14) indicate that the Court of Justice of the EU has declared Safe Harbor invalid and sent the case back to the Irish Data Protection Authority to determine whether Facebook Ireland’s transfer of personal data to the US is permitted under EU data protection law, in light of Facebook’s participation in the NSA’s PRISM program. We are awaiting publication of the decision and will report further after it becomes available.
In the meantime, here’s the background to this decision:
The European Union’s Data Protection Directive (1995) prohibits the transfer of personal information outside of the European Economic Area unless the receiving country ensures an adequate level of privacy protection. Soon after the Directive was passed, the European Commission determined that the US doesn’t offer adequate levels of protection. The EU and the US negotiated the Safe Harbor agreement in 2000 to allow US companies to self-certify that they provide protections that are equivalent to the requirements of the Data Protection Directive.
Currently, over 4,500 US companies rely on the EU-US Safe Harbor program to make their transfer of personal data from the EU to the US legal under European privacy laws.
If your company relies exclusively on Safe Harbor as the basis for its transfer of personal data from the EU to the US, it will need to find another basis for the transfer. The primary options are:
There’s a very important caveat that would apply to all of these alternatives except possibly the data subject consent option: BCRs and model contracts require the data recipients essentially to promise that the data will be protected to the same level as in the EU. If your company could receive a subpoena from the NSA or other US government agency to disclose the personal data of EU residents, then the BCRs and contracts would presumably face the same weakness that the Safe Harbor faces: a fundamental incompatibility between EU data protection law and the powers of US government agencies to conduct intelligence operations and require US companies to comply.