US-EU Safe Harbor Framework Invalidated by European Court of Justice – What Now?
The Decision
The Court of Justice of the EU (ECJ) has declared Safe Harbor invalid – in total. The ECJ has sent the case back to the Irish Data Protection Authority to determine whether Facebook Ireland’s transfer of personal data to the US is permitted under EU data protection law, in light of Facebook’s participation in the NSA’s PRISM program and bereft of the shelter of Safe Harbor.
Key Holdings
There are two key elements of the ECJ’s decision. The first is that national data protection authorities in the EEA are authorized – indeed, required – to hear complaints from individuals with regard to the transfer of their personal data outside of the EEA regardless of whether the Commission has issued an adequacy decision. The second is a determination that the Commission’s adequacy decision concerning Safe Harbor is invalid. Period. It’s gone. (The full decision is now available online in English here (other languages also available at curia.europa.eu by searching on C-362/14). A press release was also issued by the ECJ summarizing the decision.)
Immediate Concerns
Most US companies that rely solely on Safe Harbor will initially focus on the second part of the decision invalidating Safe Harbor. That makes sense, because if Safe Harbor is your company’s only basis for legitimizing the transfer of personal data from the EEA to the US, your company is likely in violation of various contracts and, if your company is the data controller responsible for the transfer or otherwise directly subject to European data protection laws, it’s probably in violation of European data protection laws.
Near-term consequences? The possibilities include:
- termination of contracts and exposure to damages
- customer complaints to your company
- customer complaints against your company made to local Data Protection Authorities (DPAs)
- employee complaints (although rather less likely than customer complaints)
- loss of potential new business in Europe
- orders and injunctions issued by DPAs that force your company to stop transferring personal data
- internal costs, such as lost time of your General Counsel, your head of IT systems, head of consumer services and other senior executives, extensive internal and partner data audits, and so on
Can Safe Harbor be “Fixed”?
The invalidation of Safe Harbor in the blink of an eye (which came as a surprise largely thanks to the ECJ unexpectedly going far beyond the specific question presented by the Irish High Court) requires urgent action. But we should also be concerned about the first part of the ECJ’s decision, to the effect that local DPAs will always have the right and obligation to hear complaints from individuals even if the Commission has issued an adequacy decision. We should care about this because for nearly two years, EU and US bureaucrats have been trying to negotiate a more robust Safe Harbor. Let’s call that Safe Harbor II.
A few days ago, some commentators suggested that Safe Harbor II would save Safe Harbor-dependent companies because it would remedy the faults that the ECJ might find with the original Safe Harbor. But now we know that even if the Commission endorses a Safe Harbor II, it can be attacked on a country-by-country basis. Furthermore, the ECJ has effectively raised the bar for Safe Harbor II – in future judicial assessments of Commission decisions, the ECJ will take a strict approach to reviewing such decisions (see Para. 78 of Schrems). To achieve a Safe Harbor II that meets the ECJ’s stringent requirements, the Commission will, effectively, need to “ensure” that the US’s national security laws don’t allow the gathering of data beyond that strictly necessary to achieve their objectives (that is, objectives that the ECJ thinks are legitimate) and contain adequate safeguards for EEA individuals. Taken in its strongest form, this could include a right to know their data has been processed by intelligence services, a right to find out what data has been gathered about them, and a right to have incorrect or incomplete data rectified (see Para. 90 of Schrems), all of which would be, to say the least, in tension with the fundamentals of intelligence work.
In a nutshell, we may not get a Safe Harbor II any time soon, and if we do, we won’t be able to rely on it (not with any real confidence) until it’s been challenged through national DPAs, then the national courts, then referred to the ECJ – and we finally have an ECJ decision upholding it. In other words, Safe Harbor II will be negotiated with a wary eye toward the inevitable ECJ chopping block. As for what’s next on the chopping block, the Schrems opinion does nothing to settle concerns that model contract clauses and BCRs are vulnerable to attack on essentially the same basis as Safe Harbor. Consent is looking better and better all the time – little surprise that Facebook Ireland has an express consent to transfers to the US and other countries built into its terms of use.
The Primary Alternatives to Safe Harbor
Most readers will be aware that the European Union’s Data Protection Directive (1995) prohibits the transfer of personal information outside of the European Economic Area unless the receiving country ensures an adequate level of privacy protection. Soon after the Directive was passed, the European Commission determined that the US doesn’t offer adequate levels of protection. The EU and the US negotiated the Safe Harbor agreement in 2000 to allow US companies to self-certify that they provide protections that are equivalent to the requirements of the Data Protection Directive.
Currently, over 4,500 US companies rely on the EU-US Safe Harbor program to make their transfer of personal data from the EU to the US legal under European privacy laws. If your company relies exclusively on Safe Harbor as the basis for its transfer of personal data from the EU to the US, it will need to find another basis for the transfer as soon as possible. The primary options are:
- Consent of the data subject to the transfer. In most circumstances, the consent needs to be explicit and fully informed to be valid. It’s also important to keep records of the consent in case there’s a challenge.
- Binding corporate rules for intragroup transfers. BCRs need to be approved by the relevant national information commissioners, and this is a lengthy process (potentially 18 months or more). So while this is a longer term option, it won’t help if Safe Harbor is not available. Also, BCRs are vulnerable on the same grounds as Safe Harbor.
- Contracts between the exporting and receiving entities. The European Commission has provided model clauses that can be incorporated into agreements to ensure adequate protection of the transferred personal data. However, see the cautions below.
- In the UK, companies may be able to make their own adequacy determinations under guidance issued by the UK’s Information Commissioner’s Office.
Hidden Rocks Ahead
There’s a very important caveat that would apply to all of these alternatives except possibly the data subject consent option: BCRs and model contracts require the data recipients essentially to promise that the data will be protected to the same level as in the EU. If your company could receive a subpoena from the NSA or other US government agency to disclose the personal data of EU residents, then the BCRs and contracts (and UK adequacy determinations) would presumably face the same weakness that the Safe Harbor faces: a fundamental incompatibility between EU data protection law and the powers of US government agencies to conduct intelligence operations and require US companies to comply.
This all sounds a bit grim, doesn’t it? There are alternatives to Safe Harbor (including some very narrow “derogations” not discussed above), although they each have their own challenges. Rather than relying on a “one-size fits most” framework, we are back to case-by-case review of data flows and specific applications. The Mintz Levin privacy team is standing by to help your company navigate these new – and inevitably choppy – waters post-Safe Harbor.