The end of Safe Harbor

EU data protection law prohibits the transfer of personal data to countries or territories outside the EEA unless they are considered to provide adequate protection. One of the ways certain US organisations used to be able to demonstrate an adequate level of protection was by signing up to the Safe Harbor principles, a self-certification standard operated by the US Department of Commerce and enforced by the FTC.

The Safe Harbor regime came under scrutiny in the wake of the Snowden revelations around mass surveillance of European data by the US intelligence agencies. While the European Parliament called for its suspension, the Commission decided on the more practical approach of renegotiation. Meanwhile, an Austrian student, Max Schrems, had issued proceedings against Facebook Ireland objecting to the fact that its servers are located in the USA on the basis that the USA offers no real protection of EU citizen data against State surveillance. The case moved more swiftly than the Safe Harbor renegotiation and in October 2015, a shock judgment from the Court of Justice of the European Union (CJEU) effectively ended data transfers under Safe Harbor and, indirectly, cast doubt on other data transfer mechanisms to the USA.

What next?

The Article 29 Working Party (WP), individual Member State regulators and the European Commission, all commented on the effect of the CJEU judgment but have not necessarily come up with a coherent view. The WP confirms that transfers from the EU to the US can no longer be based on the Safe Harbor Decision 2000/520 (Decision). It goes on to say given that the fundamental issue was “massive and indiscriminate surveillance”, there is a need to assess the impact of the CJEU ruling on other data transfer solutions. At the moment though, these transfer solutions are still valid. The WP commits regulators to enforcing the effect of the judgment after 31 January 2016 if no alternative solution is found by then.

The WP called for a coherent approach from Member State regulators but we can see by the responses issued by the UK’s ICO and the German regulators, that this is far from being the case. The ICO, while recognising the effect of the ruling on Safe Harbor and the resulting question mark over other data transfer solutions, has taken a pragmatic approach. His advice is “don’t’ panic”. He urges organisations to review their data export solutions but not to rush into alternatives to Safe Harbor until there is more clarity, particularly over the likelihood of a new Safe Harbor agreement (popularly referred to as Safe Harbor 2.0). The ICO will consider individual complaints but has no enforcement plans above and beyond the usual ones. The German regulators have, however, taken a harsher stance with no enforcement holiday, no consideration of new BCRs and a reminder that consent will only work in exceptional circumstances.

The EC has also released a (not particularly informative) Communication. It is frantically trying to agree Safe Harbor 2.0 with the USA and is aiming to reach agreement in early 2016. Some hope is held out by the Judicial Redress Bill, currently before the Senate. If adopted, it would extend privacy protections given to US citizens under the Privacy Act 1974 to EU citizens. The EC is also watching other privacy developments in the USA.

In addition, of course, we are expecting to see the introduction of the General Data Protection Regulation (GDPR) in 2016 which will also impact on data exports. For more on how the GDPR is expected to deal with this issue, see our article 'Data exports under the GDPR – who's saying what'.

What's the solution?

The CJEU ruling has caused widespread concern, commercially, legally and politically. Crucially, it left a great deal of uncertainty, not only over data previously being transferred under Safe Harbor, but about what to do next given the question mark over other data export solutions like BCRs and Model Contract Clauses.

The two fundamental issues the EU has with transferring EU personal data to the US are the lack of judicial redress for EU citizens and the failure of protections afforded to US citizens in respect of their privacy to apply to EU citizens. The fact that there is no mechanism to assess whether access to EU data for intelligence purposes is necessary and proportionate is a major stumbling block.

If you have been relying on Safe Harbor to transfer or receive EU personal data, these are uncertain times. An alternative transfer solution is definitely needed but, as the ICO comments, we are now in a period of some uncertainty which is made all the more complicated by the pending General Data Protection Regulation and the possibility of Safe Harbor 2.0. Possibly the safest means of compliance is relocating data to the EU but that is not always a practical solution and is unlikely to eliminate data transfers altogether, even if it were to reduce them significantly. While some regulators take the view that the Model Contract Clauses will need to change to reflect the CJEU judgment, these are still likely to be the best interim solution and the easiest to put in place before the WP’s deadline of 31 January 2016. Despite the ICO’s advice not to rush into alternative solutions, doing nothing is probably not the best course of action even though there is currently no bullet proof long term solution to the issue.

Whether or not Safe Harbor 2.0 is agreed, the issue of how to export EU personal data to the US is likely to dominate the first half of the year at the very least.