This morning the European Court of Justice (ECJ), as widely predicted, issued a ruling that Decision 2000/520/EC, the original decision that enabled the U.S./EU Safe Harbor Framework to provide blanket permission to data transfers from the EU to the U.S., is invalid. This ruling means that national data protection authorities can now review such data transfers on an individual basis.
So does this mean it is illegal for EU companies to transfer personal data to the U.S. under the Safe Harbor Program?
Not exactly. The ECJ has invalidated the blanket “stamp of approval” given to data transfers under the Safe Harbor Program by Commission Decision 2000/520/EC. This means that individual countries can now review transfers on a case-by-case basis to determine if they are valid. Until today, the Safe Harbor Program constituted a de facto legal mechanism for the transfer of such data, and the national data protection authorities had no right to review/challenge those transfers. While this change doesn’t outright invalidate the Safe Harbor Program, it does now allow for legal challenge and therefore places an additional burden on European companies to show that an ‘adequate level of protection’ is afforded to the personal data being transferred.
How does this affect U.S. companies that process EU personal data?
The European Commission (EC) and the various national data protection authorities haven’t yet issued guidance as to how European companies can continue to operate within the law. Because European data protection laws are implemented and enforced on a country-by-country basis, different countries may have different reactions. For example, some of the more conservative authorities (e.g., Germany, France, and Italy) are likely to say that the Safe Harbor Program alone cannot be relied upon as a legal method of data transfer. Other countries may take a more relaxed approach and state that whether or not a transfer under Safe Harbor is legal will depend on a number of factors, including the nature of the data being transferred (and how likely it is to be the subject of U.S. government surveillance) and the purposes for which it is processed. Likewise, companies themselves are likely to have different reactions depending on where they (and their data subjects) are located, the nature of the data being transferred, and their sensitivity to risk.
As discussed above, European companies are likely to be faced with different or additional compliance obligations with respect to transfers of personal data to the U.S., which will likely flow down into their contracts with U.S. data processors in the form of additional contractual protections. This is likely to happen quickly as companies rush to ensure that they are acting in compliance with local law. Things will shake out more in the next few days/weeks as guidance is provided by national data protection authorities, but European companies are likely to be very wary of opening themselves up to investigations. As a result, continued reliance on the Safe Harbor Program alone is unlikely.
What should you be doing now?
- Review your existing agreements and understand what you have agreed to do in terms of data protection. Is there a right of termination if the Safe Harbor Program is deemed invalid?
- Think about alternative methods for the transfer of personal data, and come up with a consistent message to provide assurances to your clients. Safe Harbor is not the only legal method of transferring personal data from the EU to the U.S. Other common methods include:
- Obtaining the unambiguous consent of the data subject to the transfer;
- Model Contract Clauses;
- Binding corporate rules; and/or
- Other exceptions, including arguing that the transfer is necessary for purposes of concluding a contract with the data subject, or is in the public interest.
The applicability of the above alternative methods will depend greatly on the nature of the transfer and the governing European jurisdiction(s). Consent alone is unlikely (in most cases) to be sufficient, but when combined with an argument that the transfer is necessary for purposes of concluding a contract (e.g., in a retail relationship), it could provide a good alternative. Binding corporate rules are a solution only for intra-company transfers, and therefore aren’t really an option in the majority of cases. They are also time consuming and costly to implement. Model contract clauses (template contractual provisions in a form approved by the EC) provide probably the most obvious alternative to Safe Harbor; however, they are very inflexible and require the pass-through of certain liabilities, as well as broad audit obligations. Note that in certain jurisdictions (e.g., Germany) additional security obligations may be required over and above model contract clauses.
We are already seeing cases of European companies talking about turning off data transfers to our U.S. clients. While this is likely premature, it nonetheless highlights the need for U.S. companies to think about how to respond to this issue and develop responses to client questions and concerns.