The European Court of Justice has on 6 October 2015 handed down a decision (Schrems, case C-362/04) holding that transfers of personal data from the EU to the US can no longer take place under the Safe Harbour framework. The framework has widely been relied on as the legal basis for EU-US data transfers, but after the ECJ’s ruling, this will no longer be an option.

The decision directly affects all European companies that have been transferring personal data to Safe Harbour-certified counterparts in the US. The decision will require prompt action by these companies.

The Court’s ruling stems from a complaint filed by Austrian Maximilian Schrems with the Irish Data Protection Commissioner, concerning Facebook’s transfer of his data to the US. Mr Schrems argued that – despite the Safe Harbour framework – the US can no longer be considered to offer an ‘adequate’ level of protection for personal data. Schrem’s claim was made in light of the large-scale surveillance activities of US National Security Agency NSA that were revealed by Edward Snowden.

Despite the Irish Data Protection Commissioner first rejecting Schrems’ claim, the European Court of Justice ultimately agreed with him and invalidated the EU Commission’s decision to authorise data transfers to the US under the Safe Harbour framework.

Under EU and Finnish data protection law, personal data can be transferred out of the EU/EEA only if the destination country provides an ‘adequate’ level of data protection or if other safeguards are met. While the US as a whole has never met the EU’s adequacy requirement, the EU Commission has authorised data transfers to individual companies that have undertaken to comply with the Safe Harbour rules, as these companies have been considered to offer adequate protection.

After the Schrems decision, even Safe Harbour-certified companies are no longer regarded as offering adequate protection for EU citizens’ personal data. An EU company wanting to transfer data to a US company will have to rely on complying with other safeguards in order to justify its US data transfers.

Generally speaking, an EU company can continue to transfer data to the US, despite the Schremsruling, provided that the company complies with one of the other available safeguard mechanisms:

  • The US partner can contractually undertake to comply with the European Commission’s ‘model clauses’. The model clauses are standard contract clauses that aim to ensure that data transferred under them is sufficiently protected. Of course, merely including the clauses in existing agreements is not sufficient: both parties must also ensure that they actually comply with the clauses’ substantive requirements.
  • The EU company may also draft its own contract terms intended to ensure that transferred data is sufficiently protected. Unlike the EU model clauses, however, such company-specific clauses must be approved by a national data protection supervisor before they can be relied on to justify data transfers to the US.
  • For group-internal data transfers to the US, the group can adopt ‘binding corporate rules’ (BCRs) for data protection. These are internal rules adopted by an international group of companies that define the policies the group follows in its cross-border data transfers. Before a group can rely on BCRs, the group’s rules must be approved by a Member State data protection supervisor.

Additionally, personal data may be transferred to the US where the relevant person gives his or her unambiguous consent to the transfer. However,e.g. when a company outsources IT systems, obtaining consent from all affected employees and customers can be difficult. There are also other safeguard mechanisms available, but they are rarely used by companies due to being impractical.

After Schrems, it will in principle be up to national data protection supervisors to decide on a case-by-case basis whether a data transfer meets all the relevant requirements (unlike Safe Harbour, which was an EU-level authorisation binding on the national supervisors). Nevertheless, the ‘Article 29 Working Party’ (WP29) – a co-operation body for the national EU data protection supervisors – has announced that it will issue uniform guidance for how to comply with the post-Schrems rules later this week. The Finnish Data Protection Ombudsman is expected to issue his own statement after the WP29 guidelines are issued.

We strongly advise companies to review their existing agreements and data transfer arrangements. If the company has relied on the Safe Harbour framework, it must carefully consider how best to comply with the new rules. Companies should also note that even if their direct contract is with a local company, that local company may transfer data onwards to the US. Companies remain fully liable for such transfers, even if they take place further down the subcontracting chain.