On October 6, 2015, the European Court of Justice (the “Court”) ruled that the EU Data Protection Commission’s U.S. Safe Harbor Decision1 (the “Safe Harbor Decision”) is invalid. The European Union Data Protection Directive forbids the transfer of personal data to a country outside the European Economic Area (“EEA”) unless that country has adequate data protection measures in place. American data protection laws have long been deemed inadequate in the eyes of EU decisions makers; and therefore, the Safe Harbor Decision was designed to facilitate data transfers between the EEA and the U.S. The Safe Harbor Decision allowed American companies to self-certify that they complied with European privacy standards to legally receive exports of personal data from the EEA to the U.S. For the past fifteen years, companies have relied on the Safe Harbor Decision for the transfer of personal data2 between the U.S. and the EU.
Overturning the Safe Harbor Decision.
The invalidation of the Safe Harbor Decision will require companies to comply with the EU’s far more strict approach to data privacy and protection, which includes a much broader definition of personal data than used in the U.S., and which requires a fundamental restructuring of the way many companies currently collect, store and transfer personal data.
As part of its rationale, the Court cited concerns regarding the broad surveillance practices of the U.S. National Security Agency, which the Court found to interfere with the fundamental right to protection of personal data.
“…in the light of the revelations made in 2013 by Edward Snowden concerning the activities of the United States intelligence services (in particular the National Security Agency (‘the NSA’)), the law and practice of the United States do not offer sufficient protection against surveillance by the public authorities of the data transferred to that country.”
Under the Safe Harbor Decision, if companies self-certified compliance with the so-called “safe harbor principles,”3 the EU assumed that there was adequate protection of personal data. This is no longer the case. While the Safe Harbor arrangement adopted by the U.S. under the supervision of the U.S. Federal Trade Commission or Department of Transportation remains in place, the EU will no longer assume that Safe Harbor compliance equates to an adequate level of protection for personal data.
What Does This Mean for Businesses?
The safe harbor principles have traditionally been construed broadly and, for the most part, compliance has been relatively painless, regardless of a company’s size. Now, however, companies that collect, store or transfer personal data in or from the EU will need to comply with the EU’s more stringent data-privacy laws or risk sanctions from EU data protection authorities (which may be enforced on a country-by-country basis).
Unless and until a new data transfer framework is established, companies will need to adopt Binding Corporate Rules4 or model contract clauses,5 which require companies to obtain users’ explicit and freely given consent to the transfer of their personal data. These options are often inflexible, time-consuming and expensive.
The Court’s ruling will take effect immediately so companies should waste no time beginning the process of analyzing its data collection, storage and transfer practices to determine if there is any risk of running afoul of EU data-privacy laws. If such risk is found, immediate changes should be made to bring these practices into compliance.