A major European court has just pulled the rug out from under nearly 5,000 US companies, snatching away the relative business certainty of the Data Transfer Safe Harbor, and maybe the safety of standard contract clauses and binding corporate rules as well. Now a company must meet the specified rules of each EU country in which it collects relevant data.

Right now, the only way to be certain that your company is meeting its requirements for data processing is to manage servers within the EU so that data does not pass into the United States. Realistically, it is likely to take many months at least for EU member countries to develop their own rules on this matter, so it is unlikely that previously safe-harbor certified U.S. businesses will be attacked right away by the EU data agencies. Keep watching this space as Womble Carlyle will update you as the new rules roll out.

The European Union has always felt that its privacy protections for individuals are stronger than those in the United States, and Directive 95/46/EC of the European Parliament and of the Council adopted October 25, 1995 (as amended, “Directive 95/46”) prohibits the transfer of personal data of EU residents to countries that do not ensure an adequate level of privacy protection, such as the United States.

Until now, certain mechanisms created by the EU allowed companies in EU countries to transfer personal information to be processed in the United States. The best known of these mechanisms, known as the Safe Harbor Privacy Principles, allows US companies that self-certify their data policies meet EU standards and register that certification with the US Commerce Department.  EU Commission Decision 2000/520 of July 26, 2000 (“Decision 2000/520”), decided pursuant to Directive 95/46, essentially provides that US laws, buttressed by the Safe Harbor Privacy Principles, provide an adequate level of privacy protection such that transfer of personal data from EU countries to the US (if the recipient company agrees to comply with the Safe Harbor Privacy Principles) is not prohibited. By agreeing to comply with EU’s Safe Harbor Privacy Principles, US companies could bridge the gap between US privacy laws considered to be more business-friendly and EU laws, considered by the EU to be more protective of individual privacy rights.

Currently, 4,465 companies are on the US-EU Safe Harbor List because they have certified as adhering to the Safe Harbor Privacy Principles.

Today, the European Court of Justice (the “ECJ”) issued an opinion undermining the US-EU Safe Harbor Framework and US companies’ ability to rely on safe harbor. In Maximillian Schrems v. Data Protection Commissioner, Mr. Schrems is an Australian national and user of Facebook, which operates in the EU through Facebook Ireland, a subsidiary of Facebook, Inc. Personal data of Facebook’s EU users is transferred to Facebook Inc.’s servers in the US, where such data is processed. Mr. Schrems made a complaint to the Data Protection Commissioner, Ireland’s data supervisory authority, requesting the Commissioner to prohibit Facebook Ireland’s transfer of his data, claiming that US laws do not ensure adequate protection of personal data from surveillance activities conducted by US authorities. He cited Edward Snowden’s revelations concerning the NSA as evidence for his argument.

The Commissioner refused to investigate Mr. Schrems’ claims on the basis that the adequacy of data protection in the US had to be determined in accordance with Decision 2000/520, whereby the EU Commission had already found that the US ensured an adequate level of protection when US companies comply with the Safe Harbor Privacy Principles. Mr. Schrems challenged the Irish Commissioner’s decision in the High Court of Ireland. The High Court determined that if the proceedings were determined in accordance with Irish law alone, there is serious doubt as to whether the US ensures an adequate level of protection of personal data because of the United States’ potentially overreaching practices of surveillance and interception of personal data. Thus, the Commissioner should have investigated Mr. Schrems’ claims The Irish High Court’s opinion further challenged the legality of the safe harbor framework, namely whether or not the data supervisory authorities established in each EU country have the right to examine individuals’ claims concerning privacy rights in the transfer of data to a non-EU country when the EU Commission has already found that such third country provides an adequate level of protection via the safe harbor framework.

The ECJ held that EU law provides that the national supervisory authorities, like Ireland’s Data Protection Commissioner, are responsible for monitoring compliance with EU privacy rules, and thus, they each have the power to ensure that data transfers from its own country comply with Directive 95/46. Consequently, the ECJ held that the national supervisory authority has the right to investigate an individual’s claim concerning the privacy of his or her personal information, even when the country to which the data at issue was transferred is the subject of an EU decision pursuant to Directive 95/46, like the US is subject to Decision 2000/520. 

The ECJ took its reasoning a step further to determine whether Decision 2000/520 was valid in light of widespread concerns about the United States’ surveillance activities affecting personal information. The Court notes that the Safe Harbor Privacy Principles are intended for use by US companies and the US public authorities are not required to comply with them. In addition, Decision 2000/520 states that the applicability of the Safe Harbor Privacy Principles may be limited to the extent necessary to meet the requirements of national security, public interest, or law enforcement and, when Safe Harbor Privacy Principles conflict with US law, US law will govern.  The ECJ found these holes in the safe harbor framework to be incompatible with EU rights to privacy.

The ECJ noted:

[L]egislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life…

Schrems v. Data Protection Commissioner, Judgment of the Court, Section 93.

The ECJ accordingly held that Decision 2000/520 is invalid.

The ECJ did not consider national security agencies in the EU member states, many of which have similar or more rights to review data than comparable agencies in the US.  See, for example, the new French surveillence law:  http://techcrunch.com/2015/06/25/france-adopts-extensive-surveillance-law/ .