On Tuesday 6 October, the European Court of Justice (“ECJ”) decided that the EU / US Safe Harbor regime for data transfer is no longer safe.
Background on the EU-US Safe Harbor
The EU Data Protection Directive 95/46/EC (the “Directive”) states that personal data may only be transferred to countries outside the EU when an adequate level of protection is guaranteed. Because the laws of the United States are not considered by the European Union to provide an adequate level of protection, companies that collect or process data from the EU and send that data to the United States have historically had to decide to adopt one of three compliance strategies approved by the EU Commission: certification through the US-EU Safe Harbor process, EU model contracts, or binding corporate rules.
The US-EU Safe Harbor certification process (the “Safe Harbor”) has been available since 2000. Initially few companies availed themselves of the process. Indeed more than two years after the framework had been in place less than 150 companies had entered the Safe Harbor. Recently, however, the Safe Harbor process gained in popularity and more than 4000 companies have Safe Harbor status.
The Schrems’s decision
Mr. Schrems complained to the Irish Data Protection Commissioner about the transfer of his data by the Irish subsidiary of Facebook to the U.S. after U.S. intelligence agencies’ data collection of social media was disclosed by Edward Snowden. The Irish authority rejected the complaint based on their view of the Safe Harbor framework. Schrems appealed to the Irish High Court, which referred the matter to the ECJ.
It is important to note that the validity of the Safe Harbor framework was not directly presented to the ECJ. As a result, the ECJ arguably went out of its way to address the validity of the framework. On October 6, 2015, it ruled that the Commission Decision 2000/520, that sets out the Safe Harbor scheme, was invalid.
The ECJ does not decide the dispute between Max Schrems and Facebook itself. The decision has the consequence that subject to the High Court’s ruling the Irish Data Protection Commissioner will be required to re-examine the complaint Max Schrems filed with all due diligence. After the conclusion of its investigation the Commissioner is to decide whether, pursuant to the applicable laws, transfer of the data of Facebook’s European subscribers to the US should be suspended.
Impact on Companies Currently on the Safe Harbor List
Until now, companies exchanging data between the EU and the US could rely on the Safe Harbor regime, among the other methods, to meet the requirement that data being transferred to the US enjoyed adequate protection. But with the ECJ’s ruling Safe Harbor is no longer an option.
For companies currently relying on Safe Harbor, this decision will have a real if not immediate impact. Implicit in the ECJ’s ruling is support for the view that the U.S. government’s access to data transferred to the United States is incompatible with the original reasons for the data’s transfer and “beyond what was strictly necessary and proportionate to the protection of national security.”
Impact on Other Adequacy Strategies
For the moment EU model contracts and binding corporate rules are still available to data transferors to ensure the adequacy of protection for the personal data they transfer to the US. However, the sufficiency of these two methods will undoubtedly now be subject to question based upon the reasoning in the ECJ’s decision. Specifically like the EU Commission’s decision approving the Safe Harbor, the EU Commission’s determinations that the EU model contracts and binding corporate rules are adequate to protect data did not address the allegedly excessive access of the US authorities to data transferred to the US. If the failure to address that issue brought down the Safe Harbor, it may be only a matter of time before it brings down the other two adequacy mechanisms.