The European Court of Justice ruled today that the European Commission’s decision that provided the basis for the EU/U.S. Safe Harbor Framework (Safe Harbor) is invalid. For 15 years the Safe Harbor has provided the primary means for companies to share data on European citizens with their U.S.-based operations and business partners. While the decision’s precise consequences are not yet clear, companies that have used the Safe Harbor to comply with EU data protection law when transferring data across borders need to begin their contingency planning now to avoid serious interruptions in their information systems and business processes. Stated simply, the court ruled that because U.S. national intelligence agencies may be able to access EU citizens’ personal information when those data are stored in the U.S., the Safe Harbor could not provide adequate protection for those data and thus the transfer could not comply with EU law.
For almost two decades European privacy law has prohibited the transfer of data on European citizens to countries that, in the EU’s view, do not provide adequate privacy protection that meets EU legal standards. The EU declared that U.S. law does not provide sufficient protection, making transfers of EU data to the U.S. illegal. The EU and U.S. agreed to the Safe Harbor, a framework under which companies may self-certify compliance with EU privacy standards and adopt privacy practices that meet those standards. Over 4,000 companies have signed on to the Safe Harbor, and in its absence it is unclear how they and other companies can continue to process data on a global scale. For example, one common alternative to the Safe Harbor is a so-called “Model Contract” by which a company agrees with its European affiliates to comply with EU law when receiving and processing EU data in the U.S. Unfortunately, the decision’s reasoning appears to cover Model Contracts as well, meaning that a potential Plan B may not be available.
In the short term, the decision returns to the 28 European national Data Protection Authorities the question of whether a particular data transfer complies with European privacy law and directs those agencies to handle claims on a case-by-case basis. We are in a period of serious uncertainty, but companies should plan now for what may come next.