Today the European Court of Justice — Europe’s highest court — invalidated the Safe Harbor agreement and framework that has permitted more than 4,000 companies to transfer personal data from the EU to the U.S. The decision can be found here. In light of this decision, U.S. companies that have been relying on the Safe Harbor framework should immediately take steps to (1) ensure and document their compliance with current safe harbor requirements and (2) implement an alternative method — likely a contractual arrangement — to lawfully permit the flow of personal data from the EU to the U.S.
What the Decision Means to Businesses
Until today, there were four methods for complying with EU data privacy laws for EU to U.S. data transfers:
- Consent of the individual
- The Safe Harbor framework
- Model contracts with standard contractual clauses
- Binding Corporate Rules
With the Safe Harbor invalidated and due to the complexities and lengthy time delays associated with relying on consent and Binding Corporate Rules, most U.S. companies will likely rely on putting model contracts with standard contractual clauses (model contracts) in place. The model contracts have been approved by the European Commission as providing adequate contractual protection to ensure the privacy rights of individuals are respected as required by EU privacy law. While the European Court of Justice’s ruling could be used by individuals to challenge the validity of transfers based on model contracts, for the time being at least, model contracts remain a viable method for complying with EU’s privacy laws.
Obtaining consent from individuals can raise complex issues of the enforceability of informed and voluntary consent, and is generally not effective for obtaining consent of employees. Binding Corporate Rules allow multinational corporations to make transfers among the corporate family across international borders, and are required to be approved by the applicable data protection authorities. Implementing and obtaining governmental approval of Binding Corporate Rules is typically expensive and time-consuming. Accordingly, it would be prudent for U.S. companies to act as soon as possible to work with EU companies — whether affiliated or non-affiliated — that send personal information to the U.S. to get the contractual protections under the model contracts in place.
If an agreement (e.g., a services or sales agreement) currently exists between the U.S. entity receiving personal information and the EU organization sending personal information, the model contract clauses can be added as an amendment to the existing agreement. If the parties do not have an agreement in place where an amendment of this type would be suitable, then the parties can enter into an agreement mirroring the language of the model contract, adding information specific to the relationship and data transfer as called for in the model contract.
Companies should also closely watch continuing developments in the EU and statements coming from the European Commission. The EU and the U.S. are currently in negotiations to modify the Safe Harbor agreement. Additionally, we expect the Commission to issue guidance in the coming days or weeks with respect to EU to U.S. transfers of personal data in light of the ECJ’s decision.
More Information About the Decision
EU privacy law requires that for personal information of an EU citizen can be transferred outside of the EU, it must be determined that the country has laws that adequately protect the privacy of such information. The European Commission had ruled that U.S. law does not adequately protect personal information to the same extent as required under EU law. This led to the agreement and decision in 2000 approving the Safe Harbor framework pursuant to which U.S. companies could self-certify as to compliance with the Safe Harbor framework and principles, thereby permitting companies in the EU to transfer personal information to Safe Harbor certified companies in the U.S.
The European Court of Justice (ECJ) held that that the European Commission (Commission) decision approving the Safe Harbor framework could not eliminate or even reduce the powers available to the EU data protection authorities (regulators) under applicable EU privacy law. The ECJ noted that the Commission was required to find that the U.S. law in fact ensures a level of protection of fundamental rights essentially equivalent to that guaranteed under EU law. The ECJ then observed that the Safe Harbor framework is applicable only to the U.S. organizations which undertake to adhere to it, and U.S. governmental authorities are not themselves subject to it. Additionally, national security, public interest and law enforcement requirements of the U.S. prevail over the Safe Harbor framework, so that U.S. governmental agencies must disregard the protective rules laid down by the Safe Harbor principles where they conflict with such national security and law enforcement requirements.
The ECJ noted that through the NSA’s PRISM program, U.S. governmental authorities were able to access personal data transferred from the EU to the U.S., and use it for purposes incompatible with the purposes for which it was originally transferred, beyond what was strictly necessary and proportionate to the protection of national security. The Court further noted that the individuals had no administrative or judicial means of redress enabling, in particular, the data relating to them to be accessed and, as the case may be, corrected or deleted.
The ECJ ruled that under EU law, U.S. law permitted general storage of all the personal data of all the individuals whose data is transferred from the EU to the U.S. without any differentiation, limitation or exception being made in the light of the objective pursued; and without an objective criterion for determining the limits of the access of the governmental authorities to the data and of its subsequent use. Thus, the access available to U.S. law enforcement agencies was inconsistent with the EU’s fundamental rights to respect for private life.
Based on these finding, the ECJ declared the Commission decision in 2000 approving the Safe Harbor framework invalid. The case began when Maximillian Schrems, an Austrian resident and Facebook subscriber, complained that Facebook improperly transferred his personal information from Ireland to the U.S., notwithstanding Facebook’s certification under the Safe Harbor framework. The decision has the practical effect of requiring the Irish data protection authority to examine Mr. Schrems’ complaint and to decide whether the transfer of the data of Facebook’s European subscribers to the United States should be suspended on the basis that the U.S. does not afford an adequate level of protection of personal data.