Synopsis

The EU Court of Justice has struck down the US Safe Harbor framework, which lets EU businesses send personal data to US businesses registered under the scheme. The court said:

  • EU citizens’ rights to privacy and judicial protection are undermined by US mass surveillance and storage of personal data; and
  • national data protection authorities can independently investigate – and potentially suspend – personal data transfers on a case-by-case basis. EU-US data flows can continue under other mechanisms, but your business might need to review whether it still complies with EU law.

What’s the case about?

Background

Max Schrems, an Austrian law student and privacy activist, sought judicial review against the Irish Data Protection Commissioner’s decision over the US-EU Safe Harbor framework. The Irish High Court referred the case to the Court of Justice of the European Union (CJEU), which has now delivered its judgment.

What is Safe Harbor?

European data protection rules restrict transfer of personal data from the EEA to countries without ‘adequate’ data protection laws. The EU Commission decided in 2000 that personal data sent to US organisations that sign up to the Safe Harbor scheme is adequately protected. Safe Harbor organisations self-certify compliance with certain privacy principles, and the scheme is enforced by the US FTC. Safe Harbor is one of several (alternative) legal grounds for EU-US personal data transfers.

The issues

Mr Schrems, a Facebook user, challenged the Irish Data Protection Commissioner’s refusal to investigate his complaint about Facebook Ireland sending personal data to Facebook Inc, its Safe Harbor-certified parent with servers in the US. Mr Schrems argued that the Safe Harbor framework provides no real protection for personal data in light of the scale of US state surveillance activities revealed by Edward Snowden. The Data Protection Commissioner declined to investigate, arguing that it was bound by the EU Commission decision establishing Safe Harbor. The Irish High Court asked the CJEU whether the Data Protection Commissioner was bound by the Safe Harbor decision, or whether it should conduct its own investigation.

The CJEU’s judgment

The CJEU has held: 

  • on Safe Harbor: the Safe Harbor decision is invalid in light of subsequent revelations about the scale of US state surveillance because:
    • the Safe Harbor principles are subject to national security and law enforcement exceptions - and generalised surveillance and storage of EU citizens’ data sent to the US is incompatible with the fundamental right to respect for private life under the EU Charter of Fundamental Rights; and
    • Safe Harbor doesn’t give effective legal remedies to individuals who want to access, correct or delete their data: this is incompatible with the right to effective judicial protection under the Charter; and
     
  • on the supervisory powers of national data protection authorities (DPAs): DPAs have complete independence to investigate complaints from individuals on cross-border transfers of their personal data, even where the EU Commission has decided – as it did for Safe Harbor-certified transfers – that the destination country adequately protects personal data. DPAs cannot refuse to investigate complaints and, if DPAs reject complaints, individuals must be able to challenge those decisions in national courts. Where a DPA upholds a complaint about transfers covered by an EU Commission decision, the DPA must be able to ask a national court to refer the validity of the decision to the CJEU. Only the CJEU has the power to invalidate a Commission decision.   

What does it mean for Safe Harbor?

The judgment means the end of Safe Harbor as we know it, although there are other legal shelters for EU-US data transfers. Since the CJEU’s decision, the EU Commission has confirmed that businesses can continue to transfer data under the EU model clauses, ‘binding corporate rules’ (for intra-group transfers) and other exceptions in EU law, eg where an individual has consented.

EU-US negotiations on a revised Safe Harbor were already under way, and the judgment will add to the political pressure to agree a revised scheme. Over 4,000 US organisations are Safe Harbor-certified; the scheme has been widely used, not just by the world’s largest technology companies but also by thousands of SMEs. The US FTC has attributed over $100bn of economic activity to Safe Harbor-related data flows. After the CJEU’s decision, the EU Commission confirmed it was still committed to agreeing Safe Harbor 2.0.

The judgment means that any new Safe Harbor agreement must address the current lack of protection for EU citizens’ personal data from mass US surveillance; most data protection regimes allow targeted access to data for national security and law enforcement, but generalised, undifferentiated surveillance on the scale revealed by Edward Snowden isn’t compatible with EU citizens’ fundamental rights. Any replacement must also provide effective legal remedies for individuals. 

What should my business do now?

The EU and the US may replace Safe Harbor, but this is unlikely to happen quickly. In the interim, EU-US data transfers can continue, but businesses should take steps to manage their data protection risk. Right now, you should:

  • assess whether your organisation currently uses Safe Harbor as a legal basis for EU-US data transfers, including for customer and internal data (eg employee data). As well as data transfers in the ordinary course of business, it’s worth looking at arrangements on acquisitions;
  • review whether your suppliers use Safe Harbor. In particular, many enterprise cloud computing services rely on Safe Harbor for lawful data transfers to servers in the US (eg email, hosting, payroll, ERP and CRM systems, as well as cloud-based storage and compute services);
  • identify the best alternative legal basis for your EU-US data transfers. In the short term, most organisations will need to put contractual arrangements in place (eg the EU model clauses). It might also be worth considering longer-term solutions for intra-group data transfers, such as binding corporate rules;
  • be prepared for national DPAs to scrutinise your data transfers. The judgment doesn’t affect the validity of other legal bases for international data transfers, but it affirms that DPAs can investigate complaints on a case-by-case basis. Expect DPAs to focus on the substance rather than the legal form of safeguards; and consider how your business can prove it protects any data sent outside the EEA. 

We’re likely to hear more on this soon. The Commission has said it will issue guidance to DPAs, to ensure uniform decisions and to provide certainty for business. And there will no doubt be further announcements on the renewed Safe Harbor negotiations.