Today, in a ground-breaking Decision, the Court of Justice of the European Union (CJEU) declared the US Safe Harbor scheme to be invalid, as well as confirming that individuals have the right to challenge any similar schemes that may be established by the European Commission through their national data protection authorities.
The US Safe Harbor framework was established 15 years ago to provide a mechanism by which European businesses could validly transfer personal data from the EU to the US. The framework has been widely adopted, with over 5000 companies currently using the scheme to support the free flow of data across the Atlantic. It is commonly adopted to support data transfers needed to support intra-group operations (for example to assist a US parent in managing EU based activities) and outsourced services involving a US cloud or software-as-a-service (SAAS) provider.
The Decision of CJEU will have a significant and immediate impact for any business relying on Safe Harbor to enable these operations to date and will require a change in approach to cross-border data transfers.
Impact for businesses
We expect it will take time for the full practical implications of the decision to flow down and take effect, with national data protection authorities likely to develop their own interpretation and positions. What is clear, however, is that Safe Harbor as it stands at the moment is not vaild.
- The decision will have an immediate impact on any organisation currently relying on Safe Harbor as a basis for transferring data to the US, either intra-group or through their supply chain. Subject to any guidance issued by local supervisory authorities (see below), these arrangements are now likely to be invalid. To understand the risks and plan effectively, organisations should quickly identify any arrangements they rely on that are underpinned by Safe Harbor. A strategy can then be adopted to consider alternative arrangements to authorise continuing data transfers to the US. In many cases this may involve adoption of EC approved standard contractual clauses.
- In the medium term, we expect to see a more fragmented approach from the 28 national supervisory authorities to future decision making around transfers of data to the US . This is likely to create greater uncertainty for any multinational business operating within Europe as regulators may feel empowered by the decision to make independent assessments on adequacy for any alternative arrangements organisations may be considering instead of Safe Harbor – potentially replaying concerns noted in the court decision about the wide scope of the Patriot Act as a basis for undermining the viability of other well established transfer routes such as the EC model clauses.
- A more fragmented regulatory approach on cross-border issues at a time when legislators are trying their best to support a more integrated global information society will be unwelcome, adding significant cost and regulatory burden to organisations who may feel exposed and vulnerable to challenges from changing political landscapes.
- If a European national supervisory authority has the power to investigate and suspend the transfer of the personal data in question to the US, irrespective of Safe Harbor , this will create a new and substantial obstacle for any US business looking to establish as a ‘data importing’ business model in the EU market. This could lead to a position where US companies will need establish separate consent arrangements to data sharing which may put them at a major disadvantage when building a consumer facing business model in comparison with EU based companies.
- Although these other legal avenues exist for sharing personal data between EU companies and citizens and US companies, these solutions are often onerous and difficult to implement on a global scale. Safe Harbor functions as a kind of ‘one stop shop’, a practical solution to allow data transfers from the EU to a trusted business partner in the US – Europe risks endangering this important relationship for transatlantic economic growth.
- Over the past two years, the EU Commission has been working and negotiating intensively with US authorities to reach a joint solution for the public concern and distrust generated by the revelations based on leaked documents from Edward Snowden back in June 2013 (which confirmed that US authorities can have access on a mass basis to personal data of individuals living in the EU). The two sides of the Atlantic are almost at the end of this extensive negotiating period but the Decision of the CJEU halts momentum to reach a safe solution and risks a swift return to square one.
- More broadly, the Decision of the CJEU does not only have an impact on Safe Harbor but potentially opens the scope for national authorities to challenge other Decisions of the European Commission (such as, for instance, the standard contractual clauses for controller-controller or controller-processor data transfers).