On October 6, 2015, the Court of Justice of the European Union (CJEU) invalidated the long-standing EU-U.S. Safe Harbor that thousands of companies have relied upon to comply with the EU’s stringent data protection laws. As a result, companies that transfer the personal data of European Union residents into the United States now face significant uncertainty about the legality of their data transfer practices.
The Safe Harbor
European data protection laws are some of the most stringent in the world. They have long imposed rigorous requirements on companies that collect, process, or transfer EU residents’ personal data (defined broadly as “any information relating to an identified or identifiable natural person”). Of key concern to businesses with global operations: EU law generally prohibits transfer of EU residents’ personal data to non-EU countries unless there is an “adequate” level of data protection.
Although there are multiple ways for a recipient to ensure an adequate level of data protection, the most popular method since 2000 has been the EU-U.S. Safe Harbor, which provided a faster, streamlined process for U.S. companies to demonstrate compliance with EU data protection laws. An organization could take advantage of the Safe Harbor by annually self-certifying with the U.S. Department of Commerce that it agreed to adhere to several privacy principles (such as notice, choice, and access) and by demonstrating its adherence to those principals by joining a self-regulatory program or developing its own, self-regulatory policy. Once certified, the company could freely transfer personal data from the EU into the U.S.
Although the Safe Harbor has for years been the subject of criticism that it does not do enough to protect the privacy of EU citizens, thousands of U.S. companies have come to rely on it as a key part of their compliance with EU’s data protection laws.
The CJEU Decision
On October 6, 2015, the CJEU invalidated Commission Decision 2000/520/EC (July 26, 2000) in which the European Commission recognized the Safe Harbor principles. Chief among the court’s concerns was “the large-scale access by intelligence agencies to data transferred to the [United States] by Safe Harbour [sic] certified companies . . . .” In short, due to the U.S.’s domestic surveillance practices, the court concluded that U.S. companies could not, simply by complying with the Safe Harbor, guarantee “adequate” protection of personal data.
The court explained:
“[t]he reliability of [a safe harbor] system . . . is founded essentially on the establishment of effective detection and supervision mechanisms enabling any infringements of the rules ensuring the protection of fundamental rights, in particular the right to respect for private life and the right to protection of personal data, to be identified and punished in practice.”
The court decided the European Commission has not properly established that the United States can provide such an environment. As of October 6, 2015, national data privacy regulators in the EU are not required to recognize the Safe Harbor as a means for organizations to comply with EU data protection laws when transferring personal data from EU countries to the U.S.
What It Means for American Businesses
The CJEU decision may not be of great import to most large multinational organizations which have side agreements with the EU permitting them to continue moving personal data across borders. Organizations that previously relied on Safe Harbor certification as their sole means for transferring data out of the EU to the U.S. in a legally compliant manner, however, must now seek another method of compliance. Failure to find an alternative means of compliance – or stop transferring data -- could expose such an organization to fines or orders to suspend data flows.
Happily, there are both operational and administrative alternatives companies can pursue to demonstrate they adequately protect the privacy rights of EU citizens. The most straightforward option for organizations is to set up servers in the EU to avoid transferring EU residents’ personal data to the U.S. altogether. However, this operational change is cost-prohibitive for many small and medium-sized companies, and it could also disrupt the delivery of products and services to customers.
EU law also permits companies to use so-called “model contracts,” which contain provisions pre-approved by EU regulators, to govern transactions involving trans-Atlantic data transfers. Another option for establishing lawful trans-Atlantic data transfers is to adopt Binding Corporate Rules (BCRs). Similar to the Safe Harbor, successful utilization of BCRs requires an organization to demonstrate implementation of adequate safeguards for protecting personal data throughout its organization. BCRs are not the solution for all organizations, though, as they only cover transfers between divisions or affiliates of the same enterprise. They do not cover transfers of personal data outside a corporate group. Moreover, neither of these options can be exercised overnight. Both BCRs and model contracts must be approved by data protection authorities in the EU, which generally takes about 18 months for the former and 3 to 6 months for the latter.
Negotiations to rework the Safe Harbor are ongoing, but there is no timetable for completion. Meanwhile, the CJEU’s ruling takes immediate effect. With the Safe Harbor invalidated, certain transfers of personal data from the EU to the U.S. now likely breach EU law.
Organizations transferring EU residents’ personal data in the course of their businesses should take heed of the CJEU’s ruling, and should either alter their data transfer practices or consult legal counsel to establish alternative methods to comply with EU data protection laws.