This week the European Union Court of Justice (“EUCJ”) struck down the U.S.-EU Safe Harbor Framework governing the transfer of personal data from the European Union to the United States that had been in place since 2000 (“Safe Harbor”).1 Case C-362/14, Schrems v. Data Prot. Comm’r, 2015 E.C.R. ---. Safe Harbor governed the most common set of requirements under which organizations could legally transfer personal data from EU member countries to the U.S. According to DigitalEurope, a digital technology industry trade group, about 4,500 companies have relied on Safe Harbor to “transfer a wide range of commercial data such as payroll and customer data.”2 Safe Harbor also provided the framework through which U.S. litigants routinely produced European discovery documents to the U.S. without running afoul of European privacy laws. The EUCJ’s judgment leaves U.S. and EU authorities scrambling to fill the resulting legal vacuum. Organizations that rely on Safe Harbor to transfer personal data from Europe to the U.S. should start exploring alternative data export arrangements.
The case started when Schrems, an Austrian citizen and Facebook user, challenged the Irish supervisory authority (the Irish Data Protection Commissioner) regarding the fact that Facebook Ireland Ltd transferred part of his Facebook data to the U.S. Schrems alleged that, in light of the Snowden revelations regarding NSA monitoring activities, “the law and practice in force” in the U.S. did not afford his personal data held by Facebook the level of privacy protection to which he was entitled to under European law. The case eventually wound its way to the EUCJ through the High Court of Ireland.
The Commission enacted Safe Harbor to accommodate the fact that the EU did not deem U.S. data privacy safeguards stringent enough to satisfy the EU’s Data Protection Directive 95/46/EC (“Directive”). The Directive details the protection that must be afforded to the privacy of personal data under EU law, including how these data can be transferred to a third country. Safe Harbor provided a framework of voluntary compliance and self-certification for U.S. organizations that needed to transfer personal data from the EU to the U.S.
The EUCJ held that the Directive requires a third country receiving EU-sourced personal data “ensure” a level of protection “essentially equivalent” to that guaranteed by EU law. Were it otherwise, the level of protection afforded under EU law could be easily circumvented by moving data abroad. With that holding, the EUCJ invalidated Safe Harbor, reasoning that:
- Safe Harbor is only binding on U.S. organizations that agree to adhere to its principles. Safe Harbor is not binding on U.S. public authorities, and its language expressly states that its applicability may be limited ‘to the extent necessary to meet national security, public interest, or law enforcement requirements.’” Moreover, Safe Harbor also states that where compliance conflicts with U.S. law, the latter prevails. As a result, organizations can disregard their Safe Harbor obligations to comply with U.S. authorities, and U.S. authorities can have unfettered access to the data.
- Safe Harbor allowed U.S. authorities to usurp the fundamental privacy rights of Europeans whose data were transferred to the U.S. The Commission itself had found that, following the Snowden revelations, U.S. authorities had, in fact, accessed EU-sourced personal data for reasons incompatible with those for which the data were transferred and “beyond what was strictly necessary and proportionate to the protection of national security.”
- Aggrieved Europeans have no legal recourse in the U.S. to access, rectify, or erase their personal data, in violation of EU law.
- The Directive required the Commission to find that the U.S. ensured an adequate level of protection of EU personal data rights by virtue of its internal laws or international agreements. But the Commission made no such finding.
The case now reverts to the Irish Data Protection Commissioner to decide Schrems’s claims on the merits, and whether to halt Facebook’s data traffic to the U.S. Common sense suggests that most European data protection authorities are unlikely to take aggressive action against organizations that rely on Safe Harbor immediately on the heels of this EUCJ judgment. That said, organizations that transfer personal data to the U.S. will likely be hearing more in the future from European regulators, European plaintiffs, or both, especially in countries that have historically viewed these data transfers with suspicion, such as France and Germany. Astute organizations should, therefore, begin to explore the alternative approved mechanisms to facilitate legal data transfers out of the EU, including model contractual clauses and binding corporate rules.