How should businesses respond to the recent ruling by the Court of Justice of the European Union concerning the validity of the Safe Harbor?

UK and US businesses are clearly alarmed by the news that the Court of Justice of the European Union (CJEU) has ruled the current Safe Harbor regime ineffective, with the consequence that businesses that transfer data from the EU to the US may be in breach of EU and UK data protection legislation.

Background

Under EU data protection law, there is a general prohibition on the transfer of personal data to a country outside the European Economic Area (EEA) unless that country ensures an “adequate level of protection” for the personal data. The European Commission (the Commission) has certified that a number of non-EEA countries do provide “adequate protection”.

A decision published by the Commission in 2000 (the Decision) set out that organisations should achieve an adequate level of protection for the transfer of data from the EEA to the US if they comply with the Safe Harbor privacy principles and the frequently asked questions providing guidance for the implementation of those principles issued by the US government.

Why is the Safe Harbor decision invalid?

The CJEU has now ruled that the Decision is invalid because:

  • the Commission failed to comply with the requirements stipulated in article 25(6) of the Data Protection Directive (which provides that the Commission may find that a third country ensures an adequate level of protection, by reason of its domestic law or of the international commitments it entered into, for the protection of the private lives and basic freedoms and rights of individuals)
  • the Decision did not state that the US domestic law or international commitments in fact “ensure” an adequate level of protection
  • the Decision sought to restrict the powers of national supervisory authorities (such as the Information Commissioner’s Office (ICO) in the UK) to consider claims concerning the protection of a person’s rights and freedoms with regard to the processing of personal data concerning them.

In particular, there are concerns regarding legislation in the US permitting public authorities to have access on a generalised basis to the content of electronic communications. The CJEU also referred to the fact that there is no legislation in the US providing for any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him, or to obtain rectification or erasure of such data.

The implications

The CJEU ruling has significant implication for EU-US trade, with approximately 4,500 businesses having certified as complying with the Safe Harbor principles. Perhaps not surprisingly, there has been a different reaction to the ruling on either side of the Atlantic.

The Commission said the ruling confirmed the need to have robust data protection safeguards in place before transferring citizens’ data. The US Secretary of Commerce stated that the US is prepared to work with the Commission to address the uncertainty created by the court’s decision so that US and EU businesses that have complied with Safe Harbor can continue to grow the world’s digital economy.

The authorities on both sides recognise that it is not practicable simply to stop transferring personal data to the US and they will seek to agree improvements to, or an effective replacement for, Safe Harbor. Discussions in that regard have been taking place for some time already between the Commission and the US authorities, with nothing yet to show for them, although the US Secretary of Commerce acknowledged in her statement that the CJEU decision necessitates the release of the updated Safe Harbor framework as soon as possible.

To be valid under EU law, any replacement for Safe Harbor would require concessions from the US so that the US data protection regime was broadly equivalent to the EU regime, something which would require a substantial shift in the US position, of which, to date, there has been no sign. We can therefore expect to see some concessions from the EU side as well. Any concession made by the EU must be consistent with the Charter of Fundamental Rights of the European Union, in particular the right to private and family life (article 7), protection of personal data (article 8) and the right to an effective remedy (article 47).

In a short statement issued following the CJEU ruling, the ICO confirmed that, as a result of the judgment, businesses that use Safe Harbor “will need to review how they ensure that data transferred to the US is transferred in line with the law”. The ICO recognises that this will take time, and it does not expect businesses that relied on Safe Harbor to implement new procedures immediately.

Both the Commission and the ICO have been keen to stress that Safe Harbor is not the only option, and the Commission specifically referred to the Model Contractual Clauses published by the Commission to govern international data transfers. However, these may not be practical in every case.