Almost every company somehow processes personal data (data relating to its employees, its customers or suppliers, data collected by cookies or website plugins, etc.). According to EU data protection legislation, any such personal data may freely circulate within the EEA. Conversely, any transfer/flow of personal data outside the EEA is only allowed if the third country concerned ensures an ‘adequate level of protection’.
The US is not (yet) considered to provide an ‘adequate level of protection’. Consequently, a transfer of personal data from the EEA to group companies, servers/data centres, IT service providers or other data processors or contractual partners located in the US, will only be allowed under a limited number of specific circumstances, amongst which:
- when the transfer is strictly necessary for performance of a contract with the data subjects concerned;
- when the data subjects’ prior express written consent to such transfer has been obtained;
- through the intra-group adoption of ‘Binding Corporate Rules’ (internal codes of conduct);
- if a data transfer agreement is concluded with the non-EEA data receiver, incorporating the unmodified standard contractual clauses approved by the European Commission; or
- if the US data receiver is Safe Harbour certified.
Safe Harbour certification is granted by the US Department of Commerce to companies/organisations that comply with a set of ‘Privacy Principles’ that are deemed to provide adequate personal data protection pursuant to a Decision of 26 July 2000 of the European Commission (2000/520/EC). The effect of that decision is that personal data can flow from the EU and EEA member countries to the certified US company/organisation without any further safeguard being necessary. At this moment, over 4,500 US companies (among which Apple, Google, Facebook and many US-based service providers) are Safe Harbour certified. Thousands of other EU-based companies use Safe Harbour certified contractual partners.
The CJEU judgment
1. Invalidation of safe harbour certification system
In its judgment of 6 October 2015, the EU Court of Justice (“CJEU”) has decided that Commission Decision 2000/520/EC establishing the ‘adequacy’ of the Safe Harbour certification system, is in fact invalid.
As long as US law allows personal data in the US to be accessed by the NSA and by other United States security agencies in the course of a mass and indiscriminate surveillance and interception of such data, without any effective judicial protection for EU citizens, Decision 2000/520/EC does not contain sufficient guarantees to ensure adequate data protection in case of data exports.
This means that a US entity’s Safe Harbour certification is no longer a valid legal basis for its data exports to the US, and that data exports based on the certification regime are, in principle, illegal, with immediate effect.
2. Powers of national data protection authorities
Secondly, the CJEU expressly confirmed that the European Commission’s evaluation of what is ‘adequate protection’ does not overrule the powers of national data protection authorities to restrict data exports.
The European Commission has so far recognized Andorra, Argentina, (parts of) Canada, the Faeroe Islands, Guernsey, Israel, the Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and the US under the Safe Harbour regime, as providing adequate protection. According to the CJEU, notwithstanding this adequacy finding by the European Commission, the relevant national authorities may still investigate a complaint alleging that a third country does not ensure an adequate level of data protection and, where appropriate, suspend/prohibit the transfer of that data.
Taking into account the increasing activism displayed by national data protection authorities in the EU member states (which continue to bolster their investigative and sanctioning powers), data exports to other non-EEA countries may similarly be suspended in certain member states.
3. Far reaching consequences and business impact
This judgment has far-reaching consequences for anyone in the EEA transferring personal data to the US based on Safe Harbour. These parties will have to find another way to legitimize their data exports, failing which, EEA-US data flows are considered illegal, and non-compliant data controllers run the risk of substantial fines (up to EUR 810,000 in the Netherlands (as from 1 January 2016) and EUR 600,000 in Belgium).
The adoption of Binding Corporate Rules (intra-group only) and/or the conclusion of standard data transfer agreements with data receivers, are alternatives worth considering.
It still remains to be seen how the political actors will respond to the judgment of the CJEU, and whether or not a transitional regime or grace period will be adopted. It is, in any case, expected that a new ‘adequacy’ regime will be part of the ongoing data protection negotiations between the EU institutions and the US government, which has now become more necessary than ever...